PT-2026-58090 · Pypi · Pillow

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-59199

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Pillow versions prior to 12.3.0
Description Public image coordinate APIs in the Pillow Python imaging library can trigger a native heap out-of-bounds write. This occurs when coordinates near the signed 32-bit integer limits are provided to the Image.paste(), Image.crop(), or Image.alpha composite() functions.
Recommendations Update to version 12.3.0. As a temporary mitigation, avoid providing coordinates near the signed 32-bit integer limits to the Image.paste(), Image.crop(), and Image.alpha composite() functions.

Exploit

Fix

Integer Overflow

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59199
GHSA-6R8X-57C9-28J4

Affected Products

Pillow