{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27809", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:31:33.267Z", "datePublished": "2026-02-25T23:57:00.760Z", "dateUpdated": "2026-02-26T15:17:34.807Z"}, "containers": {"cna": {"title": "psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps", "problemTypes": [{"descriptions": [{"cweId": "CWE-409", "lang": "en", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-755", "lang": "en", "description": "CWE-755: Improper Handling of Exceptional Conditions", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-704", "lang": "en", "description": "CWE-704: Incorrect Type Conversion or Cast", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w"}, {"name": "https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1", "tags": ["x_refsource_MISC"], "url": "https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1"}, {"name": "https://github.com/psd-tools/psd-tools/releases/tag/v1.12.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/psd-tools/psd-tools/releases/tag/v1.12.2"}], "affected": [{"vendor": "psd-tools", "product": "psd-tools", "versions": [{"version": "< 1.12.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T23:57:00.760Z"}, "descriptions": [{"lang": "en", "value": "psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully."}], "source": {"advisory": "GHSA-24p2-j2jr-386w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T15:17:16.249743Z", "id": "CVE-2026-27809", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:17:34.807Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T15:17:16.249743Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:17:22.108Z"}}], "cna": {"title": "psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps", "source": {"advisory": "GHSA-24p2-j2jr-386w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "psd-tools", "product": "psd-tools", "versions": [{"status": "affected", "version": "< 1.12.2"}]}], "references": [{"url": "https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w", "name": "https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1", "name": "https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/psd-tools/psd-tools/releases/tag/v1.12.2", "name": "https://github.com/psd-tools/psd-tools/releases/tag/v1.12.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-409", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "CWE-617: Reachable Assertion"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-755", "description": "CWE-755: Improper Handling of Exceptional Conditions"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-704", "description": "CWE-704: Incorrect Type Conversion or Cast"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T23:57:00.760Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27809", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:17:34.807Z", "dateReserved": "2026-02-24T02:31:33.267Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T23:57:00.760Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:psd-tools_project:psd-tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "A84A4E59-9D62-4B75-B39E-58413BDCAAC8", "versionEndExcluding": "1.12.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully."}, {"lang": "es", "value": "psd-tools es un paquete de Python para trabajar con archivos PSD de Adobe Photoshop. Antes de la versi\u00f3n 1.12.2, cuando un archivo PSD contiene datos de imagen comprimidos RLE malformados (por ejemplo, una secuencia literal que se extiende m\u00e1s all\u00e1 del tama\u00f1o de fila esperado), decode_rle() lanza un ValueError que se propagaba hasta el usuario, provocando el fallo de psd.composite() y psd-tools export. decompress() ya ten\u00eda una alternativa que reemplaza los canales fallidos con p\u00edxeles negros cuando el resultado es None, pero nunca se activaba porque el ValueError de decode_rle() no era capturado. La correcci\u00f3n en la versi\u00f3n 1.12.2 envuelve la llamada a decode_rle() en un bloque try/except para que la alternativa existente maneje el error de forma elegante."}], "id": "CVE-2026-27809", "lastModified": "2026-03-02T18:55:10.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T00:16:26.233", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/psd-tools/psd-tools/releases/tag/v1.12.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-409"}, {"lang": "en", "value": "CWE-617"}, {"lang": "en", "value": "CWE-704"}, {"lang": "en", "value": "CWE-755"}, {"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.12.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "psd-tools", "vendor": "psd-tools"}], "analysis": {"en": {"generated_at": "2026-04-17T14:40:00.068702+00:00", "value": {"mitigation_remediation": ["Upgrade psd-tools to version 1.12.2 or later, which adds exception handling around the RLE decoding routine.", "Restrict the source of PSD files to trusted inputs, or validate file integrity before processing, to prevent malformed data from reaching the decoder.", "Wrap calls to psd.composite() and related export functions in try/except blocks as a temporary countermeasure until an official upgrade can be applied."], "summary": {"action": "Update", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is psd-tools, a Python package used for handling Adobe Photoshop PSD files. All versions prior to 1.12.2 are vulnerable; version 1.12.2 and later contain the necessary fix.", "description_and_impact": "The vulnerability resides in the compression module of the psd-tools Python package, where malformed RLE\u2011compressed image data can trigger an unhandled ValueError during decoding. The exception propagates to higher\u2011level functions like psd.composite() and export, resulting in an application crash. As the crash is not limited by authentication, a local attacker can easily cause denial of service by supplying a crafted PSD file, and a remote attacker could potentially exploit the flaw if the application processes user\u2011supplied PSD files without prior validation.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity, and the EPSS score of <1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a malformed PSD file; no network\u2011remote exploit vector is documented. The lack of a network boundary, however, means that if the affected application accepts PSD files from untrusted sources, it could be exposed to a remote denial of service."}}}}, "created": "2026-02-26T13:10:28.436531+00:00", "updated": "2026-04-17T14:45:21.033848+00:00", "vendors": ["psd-tools", "psd-tools$PRODUCT$psd-tools"]}