{"api_version":"1","generated_at":"2026-07-15T03:58:03+00:00","cve":"CVE-2026-59205","urls":{"html":"https://cve.report/CVE-2026-59205","api":"https://cve.report/api/cve/CVE-2026-59205.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-59205","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-59205"},"summary":{"title":"Pillow: Controlled heap out-of-bounds write in `ImageCmsTransform.apply()` via output mode mismatch","description":"Pillow is a Python imaging library. Prior to 12.3.0, Pillow's ImageCms.ImageCmsTransform.apply(im, imOut) API can trigger controlled native heap corruption when the caller supplies an output image whose mode does not match the transform's declared output mode. This issue is fixed in version 12.3.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-14 16:17:02","updated_at":"2026-07-14 20:09:27"},"problem_types":["CWE-787","CWE-787 CWE-787: Out-of-bounds Write"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/python-pillow/Pillow/pull/9715","name":"https://github.com/python-pillow/Pillow/pull/9715","refsource":"security-advisories@github.com","tags":["Issue Tracking","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/python-pillow/Pillow/commit/a9ffc42bedf4fc0a7ef8d6486e7f9e81e3397721","name":"https://github.com/python-pillow/Pillow/commit/a9ffc42bedf4fc0a7ef8d6486e7f9e81e3397721","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/python-pillow/Pillow/releases/tag/12.3.0","name":"https://github.com/python-pillow/Pillow/releases/tag/12.3.0","refsource":"security-advisories@github.com","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/python-pillow/Pillow/security/advisories/GHSA-9hw9-ch79-4vh6","name":"https://github.com/python-pillow/Pillow/security/advisories/GHSA-9hw9-ch79-4vh6","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-59205","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59205","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"python-pillow","product":"Pillow","version":"affected < 12.3.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"59205","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"pillow","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-59205","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-14T17:30:37.376489Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-14T17:31:36.064Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/python-pillow/Pillow/security/advisories/GHSA-9hw9-ch79-4vh6"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"Pillow","vendor":"python-pillow","versions":[{"status":"affected","version":"< 12.3.0"}]}],"descriptions":[{"lang":"en","value":"Pillow is a Python imaging library. Prior to 12.3.0, Pillow's ImageCms.ImageCmsTransform.apply(im, imOut) API can trigger controlled native heap corruption when the caller supplies an output image whose mode does not match the transform's declared output mode. This issue is fixed in version 12.3.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-787","description":"CWE-787: Out-of-bounds Write","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-14T15:48:39.962Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/python-pillow/Pillow/security/advisories/GHSA-9hw9-ch79-4vh6","tags":["x_refsource_CONFIRM"],"url":"https://github.com/python-pillow/Pillow/security/advisories/GHSA-9hw9-ch79-4vh6"},{"name":"https://github.com/python-pillow/Pillow/pull/9715","tags":["x_refsource_MISC"],"url":"https://github.com/python-pillow/Pillow/pull/9715"},{"name":"https://github.com/python-pillow/Pillow/commit/a9ffc42bedf4fc0a7ef8d6486e7f9e81e3397721","tags":["x_refsource_MISC"],"url":"https://github.com/python-pillow/Pillow/commit/a9ffc42bedf4fc0a7ef8d6486e7f9e81e3397721"},{"name":"https://github.com/python-pillow/Pillow/releases/tag/12.3.0","tags":["x_refsource_MISC"],"url":"https://github.com/python-pillow/Pillow/releases/tag/12.3.0"}],"source":{"advisory":"GHSA-9hw9-ch79-4vh6","discovery":"UNKNOWN"},"title":"Pillow: Controlled heap out-of-bounds write in `ImageCmsTransform.apply()` via output mode mismatch"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-59205","datePublished":"2026-07-14T15:48:39.962Z","dateReserved":"2026-07-02T21:05:02.924Z","dateUpdated":"2026-07-14T17:31:36.064Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-14 16:17:02","lastModifiedDate":"2026-07-14 20:09:27","problem_types":["CWE-787","CWE-787 CWE-787: Out-of-bounds Write"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-14T17:30:37.376489Z","id":"CVE-2026-59205","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*","versionEndExcluding":"12.3.0","matchCriteriaId":"6372231F-529B-45CD-978E-3F2AEFF5F95C"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"59205","Ordinal":"1","Title":"Pillow: Controlled heap out-of-bounds write in `ImageCmsTransfor","CVE":"CVE-2026-59205","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"59205","Ordinal":"1","NoteData":"Pillow is a Python imaging library. Prior to 12.3.0, Pillow's ImageCms.ImageCmsTransform.apply(im, imOut) API can trigger controlled native heap corruption when the caller supplies an output image whose mode does not match the transform's declared output mode. This issue is fixed in version 12.3.0.","Type":"Description","Title":"Pillow: Controlled heap out-of-bounds write in `ImageCmsTransfor"}]}}}