Bundled version of libpng has CVE-2026-22801

[alexaryn]

After installing opencv-python-headless and opencv-contrib-python via Poetry on Linux x86_64, I find the following libpng shared objects:

.venv/lib/python3.13/site-packages/opencv_python_headless.libs/libpng16-04239421.so.16.48.0
.venv/lib/python3.13/site-packages/opencv_contrib_python.libs/libpng16-1bde1c40.so.16.43.0

Versions of libpng between 1.6.26 and 1.6.53 (inclusive) have CVE-2026-22801. Searching the opencv GitHub organization for libpng, the only version numbers I see are vulnerable.

Could you please upgrade the bundled versions of libpng to 1.6.54 and make new OpenCV releases? This would be very helpful, as automated vulnerability scanners are currently flagging this.