A vulnerability categorized as critical has been discovered in Pillow up to 12.2.0. Affected is the function WindowsViewer.get_command of the component Command Builder. Such manipulation leads to os command injection.

This vulnerability is documented as CVE-2026-55798. The attack can be executed remotely. There is not any exploit available.