An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected.
Pillow 12.1.1 will be released shortly with a fix for this.
Image.open() has a formats parameter that can be used to prevent PSD images from being opened.
Pillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html
{
"nvd_published_at": "2026-02-11T21:16:20Z",
"cwe_ids": [
"CWE-787"
],
"github_reviewed_at": "2026-02-11T14:22:50Z",
"severity": "HIGH",
"github_reviewed": true
}