PT-2026-58089 · Pypi · Pillow

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-59198

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Pillow versions 5.2.0 through 12.2.x
Description The TGA RLE encoder in the Pillow Python imaging library reads past its packed row buffer when saving a mode 1 image using TGA RLE compression. This behavior allows adjacent process heap bytes to be copied into the resulting TGA file.
Recommendations Update to version 12.3.0.

Exploit

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59198
GHSA-FJ7V-R99M-22GQ

Affected Products

Pillow