CVE-2026-54060
Pillow: `FontFile.compile()`: `Image.new()` called without `_decompression_bomb_check()`
CVSS Score
7.5
EPSS Score
0.3%
EPSS Percentile
26th
Pillow is a Python imaging library. Prior to 12.3.0, PIL/FontFile.py FontFile.compile() assembled per-glyph images into a combined bitmap with Image.new("1", (xsize, ysize)) without calling Image._decompression_bomb_check(), allowing a font to trigger excessive allocation during conversion or saving. This issue is fixed in version 12.3.0.
| CWE | CWE-789 |
| Vendor | python-pillow |
| Product | pillow |
| Published | Jul 6, 2026 |
| Last Updated | Jul 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for python-pillow pillow
Be the first to know when new high vulnerabilities affecting python-pillow pillow are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
python-pillow / Pillow
< 12.3.0