Python-Pillow Pillow vulnerabilities

CVE-2026-40192 [HIGH] CWE-400 CVE-2026-40192: Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP- Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If

CVE-2026-25990 [HIGH] CWE-787 CVE-2026-25990: Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be trigg Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.

CVE-2025-48379 [MEDIUM] CWE-122 CVE-2025-48379: Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer over Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issu