📂 Vulnerable Library - matplotlib-3.10.7-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl
Python plotting package
Path to dependency file: /examples/ai/image_search/.ws-temp-GKUPSC-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/image-search-l61iL2F1-py3.11/lib/python3.11/site-packages/matplotlib-3.10.7.dist-info
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2023-50447 |
🔴 High |
8.1 |
Not Defined |
< 1% |
Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2023-45139 |
🔴 High |
7.5 |
Not Defined |
< 1% |
fonttools-4.39.4-py3-none-any.whl |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2024-28219 |
🟠 Medium |
6.7 |
Not Defined |
< 1% |
Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2025-66034 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
fonttools-4.39.4-py3-none-any.whl |
Transitive |
N/A |
❌ |
Unreachable |
Details
🔴CVE-2023-50447
Vulnerable Library - Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/3d/59/e6bd2c3715ace343d9739276ceed79657fe116923238d102cf731ab463dd/Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl
Path to dependency file: /examples/ai/image_search/.ws-temp-GKUPSC-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/image-search-l61iL2F1-py3.11/lib/python3.11/site-packages/Pillow-9.5.0.dist-info
Dependency Hierarchy:
- matplotlib-3.10.7-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl (Root Library)
- ❌ Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- supabase/examples/ai/image_search/image_search/main.py (Application)
- Pillow-9.5.0/PIL/Image.py (Extension)
-> ❌ Pillow-9.5.0/PIL/TiffImagePlugin.py (Vulnerable Component)
Vulnerability Details
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Publish Date: Jan 19, 2024 12:00 AM
URL: CVE-2023-50447
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1
Release Date: Jan 19, 2024 12:00 AM
Fix Resolution : pillow - 10.2.0
🔴CVE-2023-45139
Vulnerable Library - fonttools-4.39.4-py3-none-any.whl
Tools to manipulate font files
Library home page: https://files.pythonhosted.org/packages/ad/5f/20da4f41e33e77723b0100ded6539529bd159319ed49d6459a4647cdc7ee/fonttools-4.39.4-py3-none-any.whl
Path to dependency file: /examples/ai/image_search/.ws-temp-GKUPSC-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/image-search-l61iL2F1-py3.11/lib/python3.11/site-packages/fonttools-4.39.4.dist-info
Dependency Hierarchy:
- matplotlib-3.10.7-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl (Root Library)
- ❌ fonttools-4.39.4-py3-none-any.whl (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.
Publish Date: Jan 10, 2024 04:03 PM
URL: CVE-2023-45139
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-28219
Vulnerable Library - Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/3d/59/e6bd2c3715ace343d9739276ceed79657fe116923238d102cf731ab463dd/Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl
Path to dependency file: /examples/ai/image_search/.ws-temp-GKUPSC-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/image-search-l61iL2F1-py3.11/lib/python3.11/site-packages/Pillow-9.5.0.dist-info
Dependency Hierarchy:
- matplotlib-3.10.7-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl (Root Library)
- ❌ Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- supabase/examples/ai/image_search/image_search/main.py (Application)
- Pillow-9.5.0/PIL/Image.py (Extension)
-> ❌ Pillow-9.5.0/PIL/TiffImagePlugin.py (Vulnerable Component)
Vulnerability Details
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
Publish Date: Apr 03, 2024 12:00 AM
URL: CVE-2024-28219
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-66034
Vulnerable Library - fonttools-4.39.4-py3-none-any.whl
Tools to manipulate font files
Library home page: https://files.pythonhosted.org/packages/ad/5f/20da4f41e33e77723b0100ded6539529bd159319ed49d6459a4647cdc7ee/fonttools-4.39.4-py3-none-any.whl
Path to dependency file: /examples/ai/image_search/.ws-temp-GKUPSC-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/image-search-l61iL2F1-py3.11/lib/python3.11/site-packages/fonttools-4.39.4.dist-info
Dependency Hierarchy:
- matplotlib-3.10.7-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl (Root Library)
- ❌ fonttools-4.39.4-py3-none-any.whl (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
Publish Date: Nov 29, 2025 01:07 AM
URL: CVE-2025-66034
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-768j-98cg-p3fv
Release Date: Nov 29, 2025 01:07 AM
Fix Resolution : fonttools - 4.60.2,fonttools - 4.60.2,https://github.com/fonttools/fonttools.git - 4.60.2
📂 Vulnerable Library - matplotlib-3.10.7-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl
Python plotting package
Path to dependency file: /examples/ai/image_search/.ws-temp-GKUPSC-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/image-search-l61iL2F1-py3.11/lib/python3.11/site-packages/matplotlib-3.10.7.dist-info
Findings
Details
🔴CVE-2023-50447
Vulnerable Library - Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/3d/59/e6bd2c3715ace343d9739276ceed79657fe116923238d102cf731ab463dd/Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl
Path to dependency file: /examples/ai/image_search/.ws-temp-GKUPSC-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/image-search-l61iL2F1-py3.11/lib/python3.11/site-packages/Pillow-9.5.0.dist-info
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Publish Date: Jan 19, 2024 12:00 AM
URL: CVE-2023-50447
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1
Release Date: Jan 19, 2024 12:00 AM
Fix Resolution : pillow - 10.2.0
🔴CVE-2023-45139
Vulnerable Library - fonttools-4.39.4-py3-none-any.whl
Tools to manipulate font files
Library home page: https://files.pythonhosted.org/packages/ad/5f/20da4f41e33e77723b0100ded6539529bd159319ed49d6459a4647cdc7ee/fonttools-4.39.4-py3-none-any.whl
Path to dependency file: /examples/ai/image_search/.ws-temp-GKUPSC-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/image-search-l61iL2F1-py3.11/lib/python3.11/site-packages/fonttools-4.39.4.dist-info
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.
Publish Date: Jan 10, 2024 04:03 PM
URL: CVE-2023-45139
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-28219
Vulnerable Library - Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/3d/59/e6bd2c3715ace343d9739276ceed79657fe116923238d102cf731ab463dd/Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl
Path to dependency file: /examples/ai/image_search/.ws-temp-GKUPSC-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/image-search-l61iL2F1-py3.11/lib/python3.11/site-packages/Pillow-9.5.0.dist-info
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
Publish Date: Apr 03, 2024 12:00 AM
URL: CVE-2024-28219
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-66034
Vulnerable Library - fonttools-4.39.4-py3-none-any.whl
Tools to manipulate font files
Library home page: https://files.pythonhosted.org/packages/ad/5f/20da4f41e33e77723b0100ded6539529bd159319ed49d6459a4647cdc7ee/fonttools-4.39.4-py3-none-any.whl
Path to dependency file: /examples/ai/image_search/.ws-temp-GKUPSC-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/image-search-l61iL2F1-py3.11/lib/python3.11/site-packages/fonttools-4.39.4.dist-info
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
Publish Date: Nov 29, 2025 01:07 AM
URL: CVE-2025-66034
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-768j-98cg-p3fv
Release Date: Nov 29, 2025 01:07 AM
Fix Resolution : fonttools - 4.60.2,fonttools - 4.60.2,https://github.com/fonttools/fonttools.git - 4.60.2