PT-2026-58092 · Pypi · Pillow

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-59205

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Pillow versions prior to 12.3.0
Description The ImageCms.ImageCmsTransform.apply(im, imOut) API can trigger controlled native heap corruption. This occurs when the caller provides an output image whose mode is inconsistent with the transform's declared output mode.
Recommendations Update to version 12.3.0.

Exploit

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59205
GHSA-9HW9-CH79-4VH6

Affected Products

Pillow