Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2632 articles · 174619 vulns · 37/41 feeds (7d)
← Back to list
4.5
CVE-2026-55798EXPLOITED
python · pillow

Pillow: WindowsViewer.get_command() OS command injection via unescaped shell path

Description

Pillow is a Python imaging library. Prior to 12.3.0, WindowsViewer.get_command() constructed a cmd.exe shell command by directly embedding a file path into an f-string without escaping and passed the result to subprocess.Popen(..., shell=True), allowing shell metacharacters in the file path to inject arbitrary cmd.exe commands. This issue is fixed in version 12.3.0.

Affected Products

VendorProductVersions
pythonpillow< 12.3.0

References

  • https://github.com/python-pillow/Pillow/security/advisories/GHSA-4x4j-2g7c-83w6(x_refsource_CONFIRM)
  • https://github.com/python-pillow/Pillow/commit/8404ea5fe5df40fc34aa1e51403dd6fce0778b8a(x_refsource_MISC)
  • https://github.com/python-pillow/Pillow/commit/88194166691b7b603529b8b036ab3ab9cedd2de4(x_refsource_MISC)
  • https://github.com/python-pillow/Pillow/commit/b0e06caa64c1405aa3da0bb1d2bd9a77ca22de7f(x_refsource_MISC)
  • https://github.com/python-pillow/Pillow/blob/main/docs/releasenotes/12.3.0.rst(x_refsource_MISC)

Related News (1 articles)

Tier C
VulDB6d ago
CVE-2026-55798 | Pillow up to 12.2.0 Command Builder WindowsViewer.get_command os command injection
→ No new info (linked only)
CVSS 3.14.5 MEDIUM
VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA KEV❌ No
Actively exploited✅ Yes
CWECWE-78
PublishedJul 6, 2026
Last enriched6d agov2
Trending Score20
Source articles1
Independent1
Info Completeness8/14
Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

NONECVE-2026-15308EXP
Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
Trending: 67
MEDIUMCVE-2026-55380EXP
Pillow GdImageFile decompression bomb protection bypass
Trending: 25
HIGHCVE-2026-54006
Open WebUI: Calendar event re-parenting allows writing events into another user's calendar
Trending: 4
HIGHCVE-2026-54010
Open WebUI: Forged chat-file link allows cross-user file read and deletion
Trending: 4
HIGHCVE-2026-54013
Open WebUI: Stored XSS to Account Takeover via Model Profile Images in Open WebUI
Trending: 4

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 6, 2026
Discovered by ZDM
Jul 6, 2026
Updated: severity, affectedVersions, activelyExploited
Jul 6, 2026
Actively Exploited
Jul 7, 2026

Version History

v2
Last enriched 6d ago
v2Tier C6d ago

Updated severity to CRITICAL, affected versions to < 12.2.0, and marked the vulnerability as actively exploited.

severityaffectedVersionsactivelyExploited
via VulDB
v16d ago

Initial creation