CVE-2026-55798
ADVISORY - debianSummary
Pillow is a Python imaging library. Prior to 12.3.0, WindowsViewer.get_command() constructed a cmd.exe shell command by directly embedding a file path into an f-string without escaping and passed the result to subprocess.Popen(..., shell=True), allowing shell metacharacters in the file path to inject arbitrary cmd.exe commands. This issue is fixed in version 12.3.0.
- pillow (Only affects Windows specific WindowsViewer) https://github.com/python-pillow/Pillow/security/advisories/GHSA-4x4j-2g7c-83w6
EPSS Score: 0.00136 (0.035)
Common Weakness Enumeration (CWE)
ADVISORY - redhat
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Debian
CREATED
UPDATED
ADVISORY IDCVE-2026-55798
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AlowUbuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-55798
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AmediumPypA
CREATED
UPDATED
ADVISORY ID
PYSEC-2026-2257
EXPLOITABILITY SCORE
1.0
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
4.5mediumBitnami
CREATED
UPDATED
ADVISORY ID
BIT-pillow-2026-55798
EXPLOITABILITY SCORE
1.0
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
4.5mediumRed Hat
CREATED
UPDATED
ADVISORY IDCVE-2026-55798
EXPLOITABILITY SCORE
1.0
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)