CVE-2023-50447 — Code Injection in Pillow

CWE-94 — Code Injection CWE-95 — Eval Injection CWE-77 — Command Injection15 documents10 sources

Severity

8.1HIGHNVD

CNA9.8GHSA9.8OSV9.8OSV9.1OSV7.5

EPSS

0.8%

top 26.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Debian Linux Paloalto Pan-os

Timeline

PublishedJan 19

Latest updateMar 31

Description

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages5 packages

▶PyPIpython/pillow< 10.2.0

▶Debianpython/pillow< 8.1.2+dfsg-0.3+deb11u2+3

▶Ubuntupython/pillow< 7.0.0-4ubuntu0.8+4

▶NVDpython/pillow10.1.0

▶Palo Altopaloalto/pan-os

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

pillow vulnerabilities↗2026-03-31

▶

OSV

pillow vulnerabilities↗2024-01-30

▶

GHSA

Arbitrary Code Execution in Pillow↗2024-01-19

▶

OSV

Arbitrary Code Execution in Pillow↗2024-01-19

▶

OSV

CVE-2023-50447: Pillow through 10↗2024-01-19

▶

📋Vendor Advisories

Ubuntu

Pillow vulnerabilities↗2026-03-31

▶

CISA ICS

Schneider Electric EcoStruxure Power Operation (Update A)↗2026-02-26

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Reports (Pillow) — CVE-2023-50447↗2024-10-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Reports (Pillow) — CVE-2023-50447↗2024-07-15

▶

Palo Alto

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-02-14

▶