Heap Corruption Vulnerability in Python Imaging Library by Pillow
CVE-2026-59205

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-59205?

In the Pillow Python imaging library, a vulnerability exists in the ImageCms.ImageCmsTransform.apply method prior to version 12.3.0. This flaw can cause controlled native heap corruption if users provide an output image whose color mode does not match the expected output mode dictated by the transformation. This can potentially lead to unexpected behavior and security risks. The issue is rectified in version 12.3.0, making it essential for users to update to mitigate these risks.

Affected Version(s)

Pillow < 12.3.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.