Critical
High
Medium
Low
Secrets
Misconfig
| Severity | CVE ID | Package | Installed | Fixed In | Description |
|---|---|---|---|---|---|
| HIGH | CVE-2026-25990 | pillow | 11.1.0 | 12.1.1 | Pillow affected by out-of-bounds write when loading PSD images |
| Type | File | Line | Match |
|---|---|---|---|
| ✅ No secrets found | |||
| Severity | ID | Check | File | Message |
|---|---|---|---|---|
| ✅ No misconfigurations found | ||||
{
"SchemaVersion": 2,
"Trivy": {
"Version": "0.69.0"
},
"ReportID": "019c513e-de81-7e60-96ad-99d1242804d1",
"CreatedAt": "2026-02-12T09:46:40.641943916Z",
"ArtifactID": "sha256:e57b316be62dff8bb479c2b76208e45d531526c519325cd6da12529ff8e6e174",
"ArtifactName": "/src",
"ArtifactType": "repository",
"Metadata": {
"RepoURL": "https://github.com/eizen-ai/eizen-llava-inference.git",
"Branch": "code-refactor-v2",
"Commit": "61e20bce5434f28597347b50d613c621aae148bf",
"CommitMsg": "vulnerability_fixes_v2",
"Author": "prasad <ayithireddyp@gmail.com>",
"Committer": "prasad <ayithireddyp@gmail.com>"
},
"Results": [
{
"Target": "requirements.txt",
"Class": "lang-pkgs",
"Type": "pip",
"Packages": [
{
"Name": "Jinja2",
"Identifier": {
"PURL": "pkg:pypi/jinja2@3.1.6",
"UID": "45848c8e63c496a9"
},
"Version": "3.1.6",
"Locations": [
{
"StartLine": 9,
"EndLine": 9
}
],
"AnalyzedBy": "pip"
},
{
"Name": "MarkupSafe",
"Identifier": {
"PURL": "pkg:pypi/markupsafe@3.0.2",
"UID": "f895013f25d2efed"
},
"Version": "3.0.2",
"Locations": [
{
"StartLine": 10,
"EndLine": 10
}
],
"AnalyzedBy": "pip"
},
{
"Name": "PyYAML",
"Identifier": {
"PURL": "pkg:pypi/pyyaml@6.0.2",
"UID": "636f893cbfa7b0d0"
},
"Version": "6.0.2",
"Locations": [
{
"StartLine": 20,
"EndLine": 20
}
],
"AnalyzedBy": "pip"
},
{
"Name": "accelerate",
"Identifier": {
"PURL": "pkg:pypi/accelerate@1.4.0",
"UID": "1d27dd4aaa476b2a"
},
"Version": "1.4.0",
"Locations": [
{
"StartLine": 1,
"EndLine": 1
}
],
"AnalyzedBy": "pip"
},
{
"Name": "av",
"Identifier": {
"PURL": "pkg:pypi/av@14.0.1",
"UID": "56bc1f7810afb5c1"
},
"Version": "14.0.1",
"Locations": [
{
"StartLine": 19,
"EndLine": 19
}
],
"AnalyzedBy": "pip"
},
{
"Name": "bitsandbytes",
"Identifier": {
"PURL": "pkg:pypi/bitsandbytes@0.45.3",
"UID": "bbde0980765a80aa"
},
"Version": "0.45.3",
"Locations": [
{
"StartLine": 2,
"EndLine": 2
}
],
"AnalyzedBy": "pip"
},
{
"Name": "boto3",
"Identifier": {
"PURL": "pkg:pypi/boto3@1.36.4",
"UID": "8321b987d454501e"
},
"Version": "1.36.4",
"Locations": [
{
"StartLine": 35,
"EndLine": 35
}
],
"AnalyzedBy": "pip"
},
{
"Name": "certifi",
"Identifier": {
"PURL": "pkg:pypi/certifi@2025.1.31",
"UID": "f106f17482c90b34"
},
"Version": "2025.1.31",
"Locations": [
{
"StartLine": 3,
"EndLine": 3
}
],
"AnalyzedBy": "pip"
},
{
"Name": "charset-normalizer",
"Identifier": {
"PURL": "pkg:pypi/charset-normalizer@3.4.1",
"UID": "5fead1ef624ac1ee"
},
"Version": "3.4.1",
"Locations": [
{
"StartLine": 4,
"EndLine": 4
}
],
"AnalyzedBy": "pip"
},
{
"Name": "fastapi",
"Identifier": {
"PURL": "pkg:pypi/fastapi@0.115.6",
"UID": "f18968a786ec127a"
},
"Version": "0.115.6",
"Locations": [
{
"StartLine": 33,
"EndLine": 33
}
],
"AnalyzedBy": "pip"
},
{
"Name": "filelock",
"Identifier": {
"PURL": "pkg:pypi/filelock@3.20.3",
"UID": "b354872985017c13"
},
"Version": "3.20.3",
"Locations": [
{
"StartLine": 5,
"EndLine": 5
}
],
"AnalyzedBy": "pip"
},
{
"Name": "fsspec",
"Identifier": {
"PURL": "pkg:pypi/fsspec@2025.2.0",
"UID": "19a9723e8c3a4914"
},
"Version": "2025.2.0",
"Locations": [
{
"StartLine": 6,
"EndLine": 6
}
],
"AnalyzedBy": "pip"
},
{
"Name": "huggingface-hub",
"Identifier": {
"PURL": "pkg:pypi/huggingface-hub@0.30.2",
"UID": "54aeed72c718eb21"
},
"Version": "0.30.2",
"Locations": [
{
"StartLine": 7,
"EndLine": 7
}
],
"AnalyzedBy": "pip"
},
{
"Name": "idna",
"Identifier": {
"PURL": "pkg:pypi/idna@3.10",
"UID": "6891a2dd71220feb"
},
"Version": "3.10",
"Locations": [
{
"StartLine": 8,
"EndLine": 8
}
],
"AnalyzedBy": "pip"
},
{
"Name": "mpmath",
"Identifier": {
"PURL": "pkg:pypi/mpmath@1.3.0",
"UID": "13c983e4933de005"
},
"Version": "1.3.0",
"Locations": [
{
"StartLine": 11,
"EndLine": 11
}
],
"AnalyzedBy": "pip"
},
{
"Name": "networkx",
"Identifier": {
"PURL": "pkg:pypi/networkx@3.4.2",
"UID": "52896dc3bc68b9a3"
},
"Version": "3.4.2",
"Locations": [
{
"StartLine": 12,
"EndLine": 12
}
],
"AnalyzedBy": "pip"
},
{
"Name": "numpy",
"Identifier": {
"PURL": "pkg:pypi/numpy@1.26.4",
"UID": "ba92d258395ca464"
},
"Version": "1.26.4",
"Locations": [
{
"StartLine": 13,
"EndLine": 13
}
],
"AnalyzedBy": "pip"
},
{
"Name": "opencv-python",
"Identifier": {
"PURL": "pkg:pypi/opencv-python@4.11.0.86",
"UID": "aa1f16ca3518f21"
},
"Version": "4.11.0.86",
"Locations": [
{
"StartLine": 14,
"EndLine": 14
}
],
"AnalyzedBy": "pip"
},
{
"Name": "packaging",
"Identifier": {
"PURL": "pkg:pypi/packaging@24.2",
"UID": "30ec11158bb14c27"
},
"Version": "24.2",
"Locations": [
{
"StartLine": 15,
"EndLine": 15
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pillow",
"Identifier": {
"PURL": "pkg:pypi/pillow@11.1.0",
"UID": "eb567629c33246d"
},
"Version": "11.1.0",
"Locations": [
{
"StartLine": 16,
"EndLine": 16
}
],
"AnalyzedBy": "pip"
},
{
"Name": "protobuf",
"Identifier": {
"PURL": "pkg:pypi/protobuf@5.29.6",
"UID": "f0bf2233e8495cac"
},
"Version": "5.29.6",
"Locations": [
{
"StartLine": 17,
"EndLine": 17
}
],
"AnalyzedBy": "pip"
},
{
"Name": "psutil",
"Identifier": {
"PURL": "pkg:pypi/psutil@7.0.0",
"UID": "c8679f5530f73935"
},
"Version": "7.0.0",
"Locations": [
{
"StartLine": 18,
"EndLine": 18
}
],
"AnalyzedBy": "pip"
},
{
"Name": "python-dotenv",
"Identifier": {
"PURL": "pkg:pypi/python-dotenv@1.0.1",
"UID": "18f0b9160a0a9621"
},
"Version": "1.0.1",
"Locations": [
{
"StartLine": 36,
"EndLine": 36
}
],
"AnalyzedBy": "pip"
},
{
"Name": "regex",
"Identifier": {
"PURL": "pkg:pypi/regex@2024.11.6",
"UID": "e49cc5c7093b8bc"
},
"Version": "2024.11.6",
"Locations": [
{
"StartLine": 21,
"EndLine": 21
}
],
"AnalyzedBy": "pip"
},
{
"Name": "requests",
"Identifier": {
"PURL": "pkg:pypi/requests@2.32.4",
"UID": "ee373a7879a5fd81"
},
"Version": "2.32.4",
"Locations": [
{
"StartLine": 22,
"EndLine": 22
}
],
"AnalyzedBy": "pip"
},
{
"Name": "safetensors",
"Identifier": {
"PURL": "pkg:pypi/safetensors@0.5.3",
"UID": "f2e646a3aaa73c55"
},
"Version": "0.5.3",
"Locations": [
{
"StartLine": 23,
"EndLine": 23
}
],
"AnalyzedBy": "pip"
},
{
"Name": "sentencepiece",
"Identifier": {
"PURL": "pkg:pypi/sentencepiece@0.2.1",
"UID": "1e95547124ca2b77"
},
"Version": "0.2.1",
"Locations": [
{
"StartLine": 24,
"EndLine": 24
}
],
"AnalyzedBy": "pip"
},
{
"Name": "setuptools",
"Identifier": {
"PURL": "pkg:pypi/setuptools@78.1.1",
"UID": "70c3b4d61bc08e76"
},
"Version": "78.1.1",
"Locations": [
{
"StartLine": 25,
"EndLine": 25
}
],
"AnalyzedBy": "pip"
},
{
"Name": "sympy",
"Identifier": {
"PURL": "pkg:pypi/sympy@1.13.3",
"UID": "248add41654cdbf1"
},
"Version": "1.13.3",
"Locations": [
{
"StartLine": 26,
"EndLine": 26
}
],
"AnalyzedBy": "pip"
},
{
"Name": "tokenizers",
"Identifier": {
"PURL": "pkg:pypi/tokenizers@0.21.0",
"UID": "3cddc1e294d0cc88"
},
"Version": "0.21.0",
"Locations": [
{
"StartLine": 27,
"EndLine": 27
}
],
"AnalyzedBy": "pip"
},
{
"Name": "torch",
"Identifier": {
"PURL": "pkg:pypi/torch@2.8.0",
"UID": "711c7365baaf63f5"
},
"Version": "2.8.0",
"Locations": [
{
"StartLine": 37,
"EndLine": 37
}
],
"AnalyzedBy": "pip"
},
{
"Name": "torchvision",
"Identifier": {
"PURL": "pkg:pypi/torchvision@0.23.0",
"UID": "6878c3499f8ea3ca"
},
"Version": "0.23.0",
"Locations": [
{
"StartLine": 38,
"EndLine": 38
}
],
"AnalyzedBy": "pip"
},
{
"Name": "tqdm",
"Identifier": {
"PURL": "pkg:pypi/tqdm@4.67.1",
"UID": "730b17a30984ec06"
},
"Version": "4.67.1",
"Locations": [
{
"StartLine": 28,
"EndLine": 28
}
],
"AnalyzedBy": "pip"
},
{
"Name": "transformers",
"Identifier": {
"PURL": "pkg:pypi/transformers@4.53.0",
"UID": "4804a06a7f61f194"
},
"Version": "4.53.0",
"Locations": [
{
"StartLine": 29,
"EndLine": 29
}
],
"AnalyzedBy": "pip"
},
{
"Name": "triton",
"Identifier": {
"PURL": "pkg:pypi/triton@3.4.0",
"UID": "65c486a5fad9c441"
},
"Version": "3.4.0",
"Locations": [
{
"StartLine": 30,
"EndLine": 30
}
],
"AnalyzedBy": "pip"
},
{
"Name": "typing_extensions",
"Identifier": {
"PURL": "pkg:pypi/typing-extensions@4.12.2",
"UID": "8329b8171a874ea8"
},
"Version": "4.12.2",
"Locations": [
{
"StartLine": 31,
"EndLine": 31
}
],
"AnalyzedBy": "pip"
},
{
"Name": "urllib3",
"Identifier": {
"PURL": "pkg:pypi/urllib3@2.6.3",
"UID": "4560629ed125df57"
},
"Version": "2.6.3",
"Locations": [
{
"StartLine": 32,
"EndLine": 32
}
],
"AnalyzedBy": "pip"
},
{
"Name": "uvicorn",
"Identifier": {
"PURL": "pkg:pypi/uvicorn@0.34.0",
"UID": "6340421f539370a3"
},
"Version": "0.34.0",
"Locations": [
{
"StartLine": 34,
"EndLine": 34
}
],
"AnalyzedBy": "pip"
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2026-25990",
"VendorIDs": [
"GHSA-cfh3-3jmp-rvhc"
],
"PkgName": "pillow",
"PkgIdentifier": {
"PURL": "pkg:pypi/pillow@11.1.0",
"UID": "eb567629c33246d"
},
"InstalledVersion": "11.1.0",
"FixedVersion": "12.1.1",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-25990",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:a04e799151847d877de7db298caed5abf23eff55cf7beaa048e2d1017d2a8b17",
"Title": "Pillow affected by out-of-bounds write when loading PSD images",
"Description": "### Impact\nAn out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected.\n\n### Patches\nPillow 12.1.1 will be released shortly with a fix for this.\n\n### Workarounds\n`Image.open()` has a `formats` parameter that can be used to prevent PSD images from being opened.\n\n### References\nPillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html",
"Severity": "HIGH",
"VendorSeverity": {
"ghsa": 3
},
"References": [
"https://github.com/python-pillow/Pillow",
"https://github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a3199",
"https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa",
"https://github.com/python-pillow/Pillow/pull/9427",
"https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc",
"https://nvd.nist.gov/vuln/detail/CVE-2026-25990",
"https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html"
]
}
]
},
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 24,
"Failures": 0
}
}
]
}