GHSA-5xmw-vc9v-4wf2

Suggest an improvement
Source
https://github.com/advisories/GHSA-5xmw-vc9v-4wf2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5xmw-vc9v-4wf2/GHSA-5xmw-vc9v-4wf2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-5xmw-vc9v-4wf2
Aliases
Downstream
Related
Published
2026-05-04T20:18:27Z
Modified
2026-05-13T13:45:10.653199314Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Pillow has a heap buffer overflow with nested list coordinates
Details

Passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This was introduced in Pillow 11.2.1.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-122"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2026-05-04T20:18:27Z",
    "nvd_published_at": "2026-05-09T06:16:10Z"
}
References

Affected packages

PyPI / pillow

Package

Name
pillow
View open source insights on deps.dev
Purl
pkg:pypi/pillow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.2.1
Fixed
12.2.0

Affected versions

11.*
11.2.1
11.3.0
12.*
12.0.0
12.1.0
12.1.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5xmw-vc9v-4wf2/GHSA-5xmw-vc9v-4wf2.json"