OS Command Injection in Pillow - CVE-2026-55798
Published: July 3, 2026
Pillow
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to command injection in WindowsViewer.get_command() in src/PIL/ImageShow.py when processing a file path in a shell command. A remote attacker can supply a specially crafted file path containing shell metacharacters to execute arbitrary commands.
User interaction is required to open a crafted file path on a Windows system.