Vulnerable Library - weasyprint-68.0-py3-none-any.whl
Found in HEAD commit: 96b451e7efb1fb027f04ff5ec082ddae9c5cefe2
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (weasyprint version) |
Remediation Possible** |
| CVE-2026-42311 |
 High |
8.4 |
pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl |
Transitive |
N/A* |
❌ |
| CVE-2026-25990 |
High |
8.4 |
pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl |
Transitive |
N/A* |
❌ |
| CVE-2026-40192 |
High |
7.5 |
pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-42311
Vulnerable Library - pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/4c/5d/45a3553a253ac8763f3561371432a90bdbe6000fbdcf1397ffe502aa206c/pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Dependency Hierarchy:
- weasyprint-68.0-py3-none-any.whl (Root Library)
- ❌ pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 96b451e7efb1fb027f04ff5ec082ddae9c5cefe2
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.
Publish Date: 2026-05-09
URL: CVE-2026-42311
CVSS 3 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pwv6-vv43-88gr
Release Date: 2026-05-09
Fix Resolution: pillow - 12.2.0,pillow - 12.2.0
Step up your Open Source Security Game with Mend here
CVE-2026-25990
Vulnerable Library - pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/4c/5d/45a3553a253ac8763f3561371432a90bdbe6000fbdcf1397ffe502aa206c/pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Dependency Hierarchy:
- weasyprint-68.0-py3-none-any.whl (Root Library)
- ❌ pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 96b451e7efb1fb027f04ff5ec082ddae9c5cefe2
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Publish Date: 2026-02-11
URL: CVE-2026-25990
CVSS 3 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cfh3-3jmp-rvhc
Release Date: 2026-02-11
Fix Resolution: pillow - 12.1.1,https://github.com/python-pillow/Pillow.git - 12.1.1
Step up your Open Source Security Game with Mend here
CVE-2026-40192
Vulnerable Library - pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/4c/5d/45a3553a253ac8763f3561371432a90bdbe6000fbdcf1397ffe502aa206c/pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Dependency Hierarchy:
- weasyprint-68.0-py3-none-any.whl (Root Library)
- ❌ pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 96b451e7efb1fb027f04ff5ec082ddae9c5cefe2
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Publish Date: 2026-04-15
URL: CVE-2026-40192
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5xc4v2j
Release Date: 2026-04-13
Fix Resolution: https://github.com/python-pillow/Pillow.git - 12.2.0
Step up your Open Source Security Game with Mend here
Found in HEAD commit: 96b451e7efb1fb027f04ff5ec082ddae9c5cefe2
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/4c/5d/45a3553a253ac8763f3561371432a90bdbe6000fbdcf1397ffe502aa206c/pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Dependency Hierarchy:
Found in HEAD commit: 96b451e7efb1fb027f04ff5ec082ddae9c5cefe2
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.
Publish Date: 2026-05-09
URL: CVE-2026-42311
CVSS 3 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pwv6-vv43-88gr
Release Date: 2026-05-09
Fix Resolution: pillow - 12.2.0,pillow - 12.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/4c/5d/45a3553a253ac8763f3561371432a90bdbe6000fbdcf1397ffe502aa206c/pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Dependency Hierarchy:
Found in HEAD commit: 96b451e7efb1fb027f04ff5ec082ddae9c5cefe2
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Publish Date: 2026-02-11
URL: CVE-2026-25990
CVSS 3 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cfh3-3jmp-rvhc
Release Date: 2026-02-11
Fix Resolution: pillow - 12.1.1,https://github.com/python-pillow/Pillow.git - 12.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/4c/5d/45a3553a253ac8763f3561371432a90bdbe6000fbdcf1397ffe502aa206c/pillow-11.3.0-cp310-cp310-macosx_10_10_x86_64.whl
Dependency Hierarchy:
Found in HEAD commit: 96b451e7efb1fb027f04ff5ec082ddae9c5cefe2
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Publish Date: 2026-04-15
URL: CVE-2026-40192
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5xc4v2j
Release Date: 2026-04-13
Fix Resolution: https://github.com/python-pillow/Pillow.git - 12.2.0
Step up your Open Source Security Game with Mend here