Product
A critical out-of-bounds read vulnerability, CVE-2026-59198, exists in Pillow versions 5.2.0 through 12.2.x, specifically within its TGA RLE encoder, allowing adjacent process heap bytes to be copied into generated TGA files, which can lead to information disclosure.