Command Injection Vulnerability in Pillow Python Imaging Library
CVE-2026-55798

4.5MEDIUM

Key Information:

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-55798?

The Pillow Python imaging library is affected by a command injection vulnerability in the WindowsViewer.get_command() function. Prior to version 12.3.0, this function constructed commands using f-strings that directly embedded user-provided file paths without sufficient escaping. This lapse allowed shell metacharacters in the file path to execute arbitrary commands via cmd.exe when passed to subprocess.Popen(..., shell=True). Users are advised to upgrade to version 12.3.0 or later to mitigate this risk.

Affected Version(s)

Pillow < 12.3.0

References

CVSS V3.1

Score:
4.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.