According to the Changelog [1] this fixes two CVE's.<p>[1]: <a href="https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst" rel="nofollow">https://github.com/python-pillow/Pillow/blob/main/CHANGES.rs...</a>