A vulnerability categorized as critical has been discovered in Pillow up to 12.2.0. Affected is the function
WindowsViewer.get_command of the component Command Builder. Such manipulation leads to os command injection.
This vulnerability is documented as CVE-2026-55798. The attack can be executed remotely. There is not any exploit available.