Pillow

This hub aggregates every CVE we track for Pillow, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

OSS Libraries

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

HIGH27MEDIUM22CRITICAL11LOW1

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting Pillow.

CVE-2026-42311Pillow: OOB Write with Invalid PSD Tile Extents (Integer Overflow)7.8May 9, 2026
CVE-2026-42310Pillow: PDF Parsing Trailer Infinite Loop (DoS)5.5May 9, 2026
CVE-2026-42308Pillow: Integer overflow when processing fonts5.5May 9, 2026
CVE-2026-42309Pillow: Heap buffer overflow with nested list coordinates5.5May 9, 2026
CVE-2026-40192Pillow is vulnerable to a FITS GZIP decompression bomb7.5Apr 15, 2026
CVE-2026-25990Pillow has an out-of-bounds write when loading PSD images7.5Feb 11, 2026
CVE-2025-48379Pillow Vulnerable to Write Buffer Overflow on BCn encoding7.1Jul 1, 2025
CVE-2024-28219In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.6.7Apr 3, 2024
CVE-2023-50447Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).8.1Jan 19, 2024
CVE-2023-44271An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out ...7.5Nov 3, 2023
CVE-2023-4863Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium secu...KEV8.8Sep 12, 2023
CVE-2022-45199Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.7.5Nov 14, 2022
CVE-2022-45198Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).7.5Nov 14, 2022
CVE-2022-30595libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files.9.8May 25, 2022
CVE-2022-24303Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.9.1Mar 28, 2022

Product normalization is registry-driven with AI assist and human review. How it works