cvedb.io
CVE-2026-42309
MEDIUM · CVSS 5.5
EPSS exploitation probability: 0%
Published 2026-05-09T06:16:10.073 · Last modified 2026-06-17T10:47:40.293

Summary

Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.

Affected products

python — pillow

Does this affect you?

Add your gear to cvedb and we'll alert you only when python ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.