PT-2026-58089 · Pypi · Pillow
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-59198
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Pillow versions 5.2.0 through 12.2.x
Description
The TGA RLE encoder in the Pillow Python imaging library reads past its packed row buffer when saving a mode 1 image using TGA RLE compression. This behavior allows adjacent process heap bytes to be copied into the resulting TGA file.
Recommendations
Update to version 12.3.0.
Exploit
Fix
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pillow