PT-2026-55963 · Python Pillow · Pillow

Dino320

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-54060

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Pillow is a Python imaging library. Prior to 12.3.0, PIL/FontFile.py FontFile.compile() assembled per-glyph images into a combined bitmap with Image.new("1", (xsize, ysize)) without calling Image. decompression bomb check(), allowing a font to trigger excessive allocation during conversion or saving. This issue is fixed in version 12.3.0.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54060

Affected Products

Pillow