Command Injection Vulnerability in Pillow Python Imaging Library
CVE-2026-55798
4.5MEDIUM
What is CVE-2026-55798?
The Pillow Python imaging library is affected by a command injection vulnerability in the WindowsViewer.get_command() function. Prior to version 12.3.0, this function constructed commands using f-strings that directly embedded user-provided file paths without sufficient escaping. This lapse allowed shell metacharacters in the file path to execute arbitrary commands via cmd.exe when passed to subprocess.Popen(..., shell=True). Users are advised to upgrade to version 12.3.0 or later to mitigate this risk.
Affected Version(s)
Pillow < 12.3.0
