[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2023-50447":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T02:55:30.529Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":88,"aliases":89,"duplicate_of":9,"upstream":92,"downstream":93,"duplicates":134,"related":135,"reserved_at":9,"published_at":153,"modified_at":154,"state":155,"summary":156,"references_raw":165,"kevs":222,"epss":223,"epss_history":226,"metrics":488,"affected":501},"CVE-2023-50447","Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).",null,[11,62],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-94","Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.","weakness","Draft","Base","Medium",[20,24,58],{"id":21,"name":22,"techniques":23},"CAPEC-242","Code Injection",[],{"id":25,"name":26,"techniques":27},"CAPEC-35","Leverage Executable Code in Non-Executable Files",[28,39,46],{"id":29,"name":30,"tactics":31,"countermeasures":38},"T1027.006","HTML Smuggling",[32,35],{"id":33,"name":34},"TA0030","Defense Evasion",{"id":36,"name":37},"TA0005","Stealth",[],{"id":40,"name":41,"tactics":42,"countermeasures":45},"T1027.009","Embedded Payloads",[43,44],{"id":33,"name":34},{"id":36,"name":37},[],{"id":47,"name":48,"tactics":49,"countermeasures":52},"T1564.009","Resource Forking",[50,51],{"id":33,"name":34},{"id":36,"name":37},[53],{"id":54,"name":55,"tactic":56},"D3-FFV","File Format Verification",{"name":57},"Isolate",{"id":59,"name":60,"techniques":61},"CAPEC-77","Manipulating User-Controlled Variables",[],{"_key":63,"id":63,"name":64,"description":65,"type":15,"status":66,"abstraction":67,"likelihood_of_exploit":18,"capec":68},"CWE-95","Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. \"eval\").","Incomplete","Variant",[69],{"id":25,"name":26,"techniques":70},[71,76,81],{"id":29,"name":30,"tactics":72,"countermeasures":75},[73,74],{"id":33,"name":34},{"id":36,"name":37},[],{"id":40,"name":41,"tactics":77,"countermeasures":80},[78,79],{"id":33,"name":34},{"id":36,"name":37},[],{"id":47,"name":48,"tactics":82,"countermeasures":85},[83,84],{"id":33,"name":34},{"id":36,"name":37},[86],{"id":54,"name":55,"tactic":87},{"name":57},[],[90,91],"GHSA-3f63-hfp8-52jq","BIT-pillow-2023-50447",[],[94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,130,132],{"_key":95},"SUSE-SU-2024:0185-1",{"_key":97},"SUSE-SU-2024:0290-1",{"_key":99},"SUSE-SU-2024:0439-1",{"_key":101},"SUSE-SU-2024:0205-1",{"_key":103},"OPENSUSE-SU-2024:0125-1",{"_key":105},"OPENSUSE-SU-2024:13611-1",{"_key":107},"DLA-3724-1",{"_key":109},"DSA-5704-1",{"_key":111},"UBUNTU-CVE-2023-50447",{"_key":113},"MGASA-2024-0018",{"_key":115},"USN-6618-1",{"_key":117},"USN-8135-1",{"_key":119},"DEBIAN-CVE-2023-50447",{"_key":121},"RHSA-2024:0754",{"_key":123},"RHSA-2024:0857",{"_key":125},"RHSA-2024:0893",{"_key":127},"RHSA-2024:1058",{"_key":129},"RHSA-2024:1059",{"_key":131},"RHSA-2024:1060",{"_key":133},"RHSA-2024:3781",[],[136,137,138,139,140,141,142,143,145,147,149,151],{"_key":95},{"_key":113},{"_key":97},{"_key":99},{"_key":101},{"_key":103},{"_key":105},{"_key":144},"CGA-4393-X3J7-6GRG",{"_key":146},"CGA-4R2R-WRG9-G9QQ",{"_key":148},"CGA-H6J8-G59C-55W9",{"_key":150},"CGA-XQWQ-8JQJ-G28P",{"_key":152},"CGA-P8QM-3J6V-J8XP","2024-01-19T00:00:00.000Z","2024-08-02T22:16:46.654Z","Modified",{"cisa_kev":157,"cisa_ransomware":157,"cisa_vendor":9,"epss_severity":158,"epss_score":159,"severity":160,"severity_score":161,"severity_version":162,"severity_source":163,"severity_vector":164,"severity_status":155},false,"low",0.00754,"high",8.1,"v3.1","cve.org","CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",[166,174,179,184,188,192,197,201,205,209,213,218],{"url":167,"sources":168,"tags":171},"https://github.com/python-pillow/Pillow/releases",[163,169,170],"nvd","osv_pypi",[172,173],"Release Notes","WEB",{"url":175,"sources":176,"tags":177},"https://devhub.checkmarx.com/cve-details/CVE-2023-50447/",[163,169],[178],"Third Party Advisory",{"url":180,"sources":181,"tags":182},"http://www.openwall.com/lists/oss-security/2024/01/20/1",[163,169,170],[183,178,173],"Mailing List",{"url":185,"sources":186,"tags":187},"https://lists.debian.org/debian-lts-announce/2024/01/msg00019.html",[163,169,170],[183,178,173],{"url":189,"sources":190,"tags":191},"https://duartecsantos.github.io/2024-01-02-CVE-2023-50447/",[163,169],[],{"url":193,"sources":194,"tags":195},"https://nvd.nist.gov/vuln/detail/CVE-2023-50447",[170],[196],"Advisory",{"url":198,"sources":199,"tags":200},"https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a",[170],[173],{"url":202,"sources":203,"tags":204},"https://devhub.checkmarx.com/cve-details/CVE-2023-50447",[170],[173],{"url":206,"sources":207,"tags":208},"https://duartecsantos.github.io/2023-01-02-CVE-2023-50447",[170],[173],{"url":210,"sources":211,"tags":212},"https://duartecsantos.github.io/2024-01-02-CVE-2023-50447",[170],[173],{"url":214,"sources":215,"tags":216},"https://github.com/python-pillow/Pillow",[170],[217],"PACKAGE",{"url":219,"sources":220,"tags":221},"https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#security",[170],[173],[],{"date":224,"score":159,"percentile":225},"2026-06-04",0.73583,[227,231,234,237,240,243,246,249,251,254,257,260,263,266,269,273,276,279,282,285,288,290,292,295,297,299,301,303,306,309,312,315,318,321,324,327,329,332,335,338,341,344,346,349,353,356,359,362,365,368,371,374,377,380,383,386,389,392,395,398,401,404,406,409,412,415,418,421,424,427,430,433,436,439,442,445,448,451,454,457,460,463,466,469,471,473,476,479,482,485],{"date":228,"score":229,"percentile":230},"2025-11-04",0.00557,0.67263,{"date":232,"score":229,"percentile":233},"2025-11-05",0.67245,{"date":235,"score":229,"percentile":236},"2025-11-06",0.67247,{"date":238,"score":229,"percentile":239},"2025-11-07",0.67262,{"date":241,"score":229,"percentile":242},"2025-11-08",0.6726,{"date":244,"score":229,"percentile":245},"2025-11-09",0.67252,{"date":247,"score":229,"percentile":248},"2025-11-10",0.67242,{"date":250,"score":229,"percentile":236},"2025-11-11",{"date":252,"score":229,"percentile":253},"2025-11-12",0.67267,{"date":255,"score":229,"percentile":256},"2025-11-13",0.67277,{"date":258,"score":229,"percentile":259},"2025-11-14",0.67285,{"date":261,"score":229,"percentile":262},"2025-11-15",0.67282,{"date":264,"score":229,"percentile":265},"2025-11-16",0.67276,{"date":267,"score":229,"percentile":268},"2025-11-17",0.6727,{"date":270,"score":271,"percentile":272},"2025-11-18",0.01787,0.81238,{"date":274,"score":271,"percentile":275},"2025-11-19",0.8124,{"date":277,"score":271,"percentile":278},"2025-11-20",0.81243,{"date":280,"score":229,"percentile":281},"2025-11-21",0.6728,{"date":283,"score":229,"percentile":284},"2025-11-22",0.67288,{"date":286,"score":229,"percentile":287},"2025-11-23",0.67279,{"date":289,"score":229,"percentile":253},"2025-11-24",{"date":291,"score":229,"percentile":265},"2025-11-25",{"date":293,"score":229,"percentile":294},"2025-11-26",0.67283,{"date":296,"score":229,"percentile":259},"2025-11-27",{"date":298,"score":229,"percentile":268},"2025-11-28",{"date":300,"score":229,"percentile":245},"2025-11-29",{"date":302,"score":229,"percentile":236},"2025-11-30",{"date":304,"score":229,"percentile":305},"2025-12-01",0.67401,{"date":307,"score":229,"percentile":308},"2025-12-02",0.67407,{"date":310,"score":229,"percentile":311},"2025-12-03",0.67405,{"date":313,"score":229,"percentile":314},"2025-12-04",0.67238,{"date":316,"score":229,"percentile":317},"2025-12-05",0.67251,{"date":319,"score":229,"percentile":320},"2025-12-06",0.67255,{"date":322,"score":229,"percentile":323},"2025-12-07",0.67249,{"date":325,"score":229,"percentile":326},"2025-12-08",0.67253,{"date":328,"score":229,"percentile":259},"2025-12-09",{"date":330,"score":229,"percentile":331},"2025-12-10",0.67333,{"date":333,"score":229,"percentile":334},"2025-12-11",0.67352,{"date":336,"score":229,"percentile":337},"2025-12-12",0.67377,{"date":339,"score":229,"percentile":340},"2025-12-13",0.67384,{"date":342,"score":229,"percentile":343},"2025-12-14",0.67386,{"date":345,"score":229,"percentile":340},"2025-12-15",{"date":347,"score":229,"percentile":348},"2025-12-16",0.67387,{"date":350,"score":351,"percentile":352},"2025-12-17",0.0134,0.79522,{"date":354,"score":229,"percentile":355},"2025-12-18",0.67436,{"date":357,"score":229,"percentile":358},"2025-12-19",0.67457,{"date":360,"score":229,"percentile":361},"2025-12-20",0.67456,{"date":363,"score":229,"percentile":364},"2025-12-21",0.67444,{"date":366,"score":229,"percentile":367},"2025-12-22",0.67475,{"date":369,"score":229,"percentile":370},"2025-12-23",0.67471,{"date":372,"score":229,"percentile":373},"2025-12-24",0.67479,{"date":375,"score":229,"percentile":376},"2025-12-25",0.6751,{"date":378,"score":229,"percentile":379},"2025-12-26",0.67511,{"date":381,"score":229,"percentile":382},"2025-12-27",0.67566,{"date":384,"score":229,"percentile":385},"2025-12-28",0.67484,{"date":387,"score":229,"percentile":388},"2025-12-29",0.67476,{"date":390,"score":229,"percentile":391},"2025-12-30",0.67489,{"date":393,"score":229,"percentile":394},"2025-12-31",0.67509,{"date":396,"score":229,"percentile":397},"2026-01-01",0.6768,{"date":399,"score":229,"percentile":400},"2026-01-02",0.67668,{"date":402,"score":229,"percentile":403},"2026-01-03",0.6767,{"date":405,"score":229,"percentile":394},"2026-01-04",{"date":407,"score":229,"percentile":408},"2026-01-05",0.67499,{"date":410,"score":229,"percentile":411},"2026-01-06",0.67508,{"date":413,"score":229,"percentile":414},"2026-01-07",0.67527,{"date":416,"score":229,"percentile":417},"2026-01-08",0.67542,{"date":419,"score":229,"percentile":420},"2026-01-09",0.67552,{"date":422,"score":229,"percentile":423},"2026-01-10",0.67555,{"date":425,"score":229,"percentile":426},"2026-01-11",0.67546,{"date":428,"score":229,"percentile":429},"2026-01-12",0.67533,{"date":431,"score":229,"percentile":432},"2026-01-13",0.67528,{"date":434,"score":229,"percentile":435},"2026-01-14",0.67563,{"date":437,"score":229,"percentile":438},"2026-01-15",0.67567,{"date":440,"score":229,"percentile":441},"2026-01-16",0.67583,{"date":443,"score":229,"percentile":444},"2026-01-17",0.67571,{"date":446,"score":229,"percentile":447},"2026-01-18",0.67559,{"date":449,"score":229,"percentile":450},"2026-01-19",0.67543,{"date":452,"score":229,"percentile":453},"2026-01-20",0.67553,{"date":455,"score":229,"percentile":456},"2026-01-21",0.67562,{"date":458,"score":229,"percentile":459},"2026-01-22",0.67572,{"date":461,"score":229,"percentile":462},"2026-01-23",0.67603,{"date":464,"score":229,"percentile":465},"2026-01-24",0.67612,{"date":467,"score":229,"percentile":468},"2026-01-25",0.67581,{"date":470,"score":229,"percentile":459},"2026-01-26",{"date":472,"score":229,"percentile":468},"2026-01-27",{"date":474,"score":229,"percentile":475},"2026-01-28",0.67592,{"date":477,"score":229,"percentile":478},"2026-01-29",0.67588,{"date":480,"score":229,"percentile":481},"2026-01-30",0.67596,{"date":483,"score":229,"percentile":484},"2026-01-31",0.67599,{"date":486,"score":229,"percentile":487},"2026-02-01",0.67747,[489,494,496],{"source":163,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":490,"cvss_v4_0":9},{"baseScore":161,"baseSeverity":491,"vectorString":164,"impactScore":492,"exploitabilityScore":493},"HIGH",9.8,5.6,{"source":169,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":495,"cvss_v4_0":9},{"baseScore":161,"baseSeverity":491,"vectorString":164,"impactScore":492,"exploitabilityScore":493},{"source":170,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":497,"cvss_v4_0":498},{"baseScore":161,"baseSeverity":9,"vectorString":164,"impactScore":492,"exploitabilityScore":493},{"baseScore":499,"baseSeverity":9,"vectorString":500,"impactScore":9,"exploitabilityScore":9},9.3,"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",[502,511,522],{"ecosystem":9,"name":503,"vendor":504,"product":505,"cpe_part":506,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":507},"debian linux","debian","debian_linux","o",[508],{"version":509,"is_range":157,"range_type":510,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"10.0","cpe",{"ecosystem":512,"name":513,"vendor":512,"product":513,"cpe_part":9,"purl_type":514,"purl_namespace":9,"purl_name":513,"source":9,"versions":515},"PyPI","pillow","pypi",[516],{"version":517,"is_range":518,"range_type":519,"version_start":9,"version_start_type":9,"version_end":520,"version_end_type":521,"fixed_in":9},"lt10_2_0",true,"ecosystem","10.2.0","excluding",{"ecosystem":9,"name":513,"vendor":523,"product":513,"cpe_part":524,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":525},"python","a",[526],{"version":527,"is_range":518,"range_type":510,"version_start":9,"version_start_type":9,"version_end":528,"version_end_type":529,"fixed_in":9},"lte10.1.0","10.1.0","including"]