CVE-2026-25990
ADVISORY - githubSummary
Impact
An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected.
Patches
Pillow 12.1.1 will be released shortly with a fix for this.
Workarounds
Image.open() has a formats parameter that can be used to prevent PSD images from being opened.
References
Pillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html
Common Weakness Enumeration (CWE)
ADVISORY - github
Out-of-bounds Write
GitHub
CREATED
UPDATED
ADVISORY IDGHSA-cfh3-3jmp-rvhc
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
N/Ahigh| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| pillow | pypi | - | - | >=10.3.0,<12.1.1 | 12.1.1 |
Severity and metrics
No CVSS data available from this advisory.