PYSEC-2026-2262

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/psd-tools/PYSEC-2026-2262.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2262
Aliases
Published
2026-02-26T00:16:26.233Z
Modified
2026-07-13T07:15:40.078708735Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
[none]
Details

psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decoderle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decoderle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.

References

Affected packages

PyPI / psd-tools

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.2

Affected versions

0.*
0.1.1
0.1.2
0.1.3
0.1.4
0.2
0.5
0.6
0.7
0.7.1
0.8
0.8.1
0.8.2
0.8.3
0.8.4
0.9
0.9.1
0.10
1.*
1.0
1.1
1.2
1.3
1.4
1.8.8
1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17
1.8.18
1.8.19
1.8.20
1.8.21
1.8.22
1.8.23
1.8.24
1.8.25
1.8.26
1.8.27
1.8.28
1.8.29
1.8.30
1.8.31
1.8.32
1.8.33
1.8.34
1.8.35
1.8.36
1.8.37
1.8.38
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
1.9.10
1.9.11
1.9.12
1.9.13
1.9.14
1.9.15
1.9.16
1.9.17
1.9.18
1.9.19
1.9.20
1.9.21
1.9.22
1.9.23
1.9.24
1.9.26
1.9.27
1.9.28
1.9.29
1.9.30
1.9.31
1.9.32
1.9.33
1.9.34
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.10.8
1.10.9
1.10.10
1.10.11
1.10.12
1.10.13
1.11.0
1.11.1
1.12.0
1.12.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/psd-tools/PYSEC-2026-2262.yaml"