PT-2026-55966 · Python Pillow · Pillow

1121984919

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-55798

CVSS v3.1

4.5

Medium

VectorAV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Pillow is a Python imaging library. Prior to 12.3.0, WindowsViewer.get command() constructed a cmd.exe shell command by directly embedding a file path into an f-string without escaping and passed the result to subprocess.Popen(..., shell=True), allowing shell metacharacters in the file path to inject arbitrary cmd.exe commands. This issue is fixed in version 12.3.0.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55798

Affected Products

Pillow