Vulnerable Library - matplotlib-3.9.4-cp310-cp310-macosx_10_12_x86_64.whl
Path to dependency file: /advanced_strategies/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250302044719_OUODAM/python_YEZQVE/202503020453541/env/lib/python3.9/site-packages/fonttools-4.56.0.dist-info
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (matplotlib version) |
Remediation Possible** |
| CVE-2026-40192 |
 High |
7.5 |
pillow-11.1.0-cp39-cp39-manylinux_2_28_x86_64.whl |
Transitive |
N/A* |
❌ |
| CVE-2025-66034 |
 Medium |
6.3 |
fonttools-4.56.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl |
Transitive |
3.10.0 |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-40192
Vulnerable Library - pillow-11.1.0-cp39-cp39-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/75/fb/e330fdbbcbc4744214b5f53b84d9d8a9f4ffbebc2e9c2ac10475386e3296/pillow-11.1.0-cp39-cp39-manylinux_2_28_x86_64.whl
Path to dependency file: /advanced_strategies/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250302044719_OUODAM/python_YEZQVE/202503020453541/env/lib/python3.9/site-packages/pillow-11.1.0.dist-info
Dependency Hierarchy:
- matplotlib-3.9.4-cp310-cp310-macosx_10_12_x86_64.whl (Root Library)
- ❌ pillow-11.1.0-cp39-cp39-manylinux_2_28_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Publish Date: 2026-04-15
URL: CVE-2026-40192
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5xc4v2j
Release Date: 2026-04-13
Fix Resolution: https://github.com/python-pillow/Pillow.git - 12.2.0
Step up your Open Source Security Game with Mend here
CVE-2025-66034
Vulnerable Library - fonttools-4.56.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tools to manipulate font files
Library home page: https://files.pythonhosted.org/packages/56/af/78b2c901949ca37c02ba4eec88020479e929b7d1126af30ee9d7e44b4c4c/fonttools-4.56.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /advanced_strategies/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250302044719_OUODAM/python_YEZQVE/202503020453541/env/lib/python3.9/site-packages/fonttools-4.56.0.dist-info
Dependency Hierarchy:
- matplotlib-3.9.4-cp310-cp310-macosx_10_12_x86_64.whl (Root Library)
- ❌ fonttools-4.56.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
Publish Date: 2025-11-29
URL: CVE-2025-66034
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-768j-98cg-p3fv
Release Date: 2025-11-29
Fix Resolution (fonttools): 4.60.2
Direct dependency fix Resolution (matplotlib): 3.10.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /advanced_strategies/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250302044719_OUODAM/python_YEZQVE/202503020453541/env/lib/python3.9/site-packages/fonttools-4.56.0.dist-info
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - pillow-11.1.0-cp39-cp39-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/75/fb/e330fdbbcbc4744214b5f53b84d9d8a9f4ffbebc2e9c2ac10475386e3296/pillow-11.1.0-cp39-cp39-manylinux_2_28_x86_64.whl
Path to dependency file: /advanced_strategies/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250302044719_OUODAM/python_YEZQVE/202503020453541/env/lib/python3.9/site-packages/pillow-11.1.0.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Publish Date: 2026-04-15
URL: CVE-2026-40192
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5xc4v2j
Release Date: 2026-04-13
Fix Resolution: https://github.com/python-pillow/Pillow.git - 12.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - fonttools-4.56.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tools to manipulate font files
Library home page: https://files.pythonhosted.org/packages/56/af/78b2c901949ca37c02ba4eec88020479e929b7d1126af30ee9d7e44b4c4c/fonttools-4.56.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /advanced_strategies/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250302044719_OUODAM/python_YEZQVE/202503020453541/env/lib/python3.9/site-packages/fonttools-4.56.0.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
Publish Date: 2025-11-29
URL: CVE-2025-66034
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-768j-98cg-p3fv
Release Date: 2025-11-29
Fix Resolution (fonttools): 4.60.2
Direct dependency fix Resolution (matplotlib): 3.10.0
Step up your Open Source Security Game with Mend here