Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2628 articles · 174587 vulns · 37/41 feeds (7d)
← Back to list
7.5
CVE-2026-55380EXPLOITED
python · pillow

Pillow GdImageFile decompression bomb protection bypass

Description

A vulnerability was found in Pillow up to 12.2.x. It has been rated as problematic. This impacts the function GdImageFile._open of the file PIL/GdImageFile.py of the component GD Image File Parser. This manipulation causes heap-based buffer overflow. This vulnerability is registered as CVE-2026-55380. Remote exploitation of the attack is possible.

Affected Products

VendorProductVersions
pythonpillow< 12.3.0, 12.2.x

References

  • https://github.com/python-pillow/Pillow/security/advisories/GHSA-phj9-mv4w-65pm(x_refsource_CONFIRM)
  • https://github.com/python-pillow/Pillow/commit/f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675(x_refsource_MISC)
  • https://github.com/python-pillow/Pillow/blob/main/docs/releasenotes/12.3.0.rst(x_refsource_MISC)

Related News (1 articles)

Tier C
VulDB6d ago
CVE-2026-55380 | Pillow up to 12.2.x GD Image File Parser PIL/GdImageFile.py GdImageFile._open heap-based overflow
→ No new info (linked only)
CVSS 3.17.5 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA KEV❌ No
Actively exploited✅ Yes
CWECWE-789
PublishedJul 6, 2026
Last enriched6d agov2
Trending Score25
Source articles1
Independent1
Info Completeness8/14
Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

NONECVE-2026-15308EXP
Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
Trending: 68
MEDIUMCVE-2026-55798EXP
Pillow: WindowsViewer.get_command() OS command injection via unescaped shell path
Trending: 21
HIGHCVE-2026-54006
Open WebUI: Calendar event re-parenting allows writing events into another user's calendar
Trending: 4
HIGHCVE-2026-54010
Open WebUI: Forged chat-file link allows cross-user file read and deletion
Trending: 4
HIGHCVE-2026-54013
Open WebUI: Stored XSS to Account Takeover via Model Profile Images in Open WebUI
Trending: 4

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 6, 2026
Discovered by ZDM
Jul 6, 2026
Actively Exploited
Jul 6, 2026
Updated: description, affectedVersions, severity, activelyExploited
Jul 6, 2026

Version History

v2
Last enriched 6d ago
v2Tier C6d ago

Updated description with new technical details, changed affected versions to include 12.2.x, and updated severity to MEDIUM.

descriptionaffectedVersionsseverityactivelyExploited
via VulDB
v16d ago

Initial creation