PT-2026-21764 · Exiftool · Exiftool

Owl4444

·

Published

2026-02-24

·

Updated

2026-05-25

·

CVE-2026-3102

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions exiftool versions prior to 13.50
Description An OS command injection issue exists in the PNG File Parser component of exiftool on macOS. The flaw is located in the SetMacOSTags() function within the lib/Image/ExifTool/MacOS.pm file. A remote attacker can achieve arbitrary code execution with user privileges by embedding shell commands in the EXIF DateTimeOriginal metadata of a malicious image. The attack is triggered when the unsanitized $val parameter is passed to a system() call during the processing of the DateTimeOriginal tag, specifically when using the -n (raw output mode) flag and the -tagsFromFile feature to copy data to the FileCreateDate tag. This process bypasses the PrintConvInv filter validation, allowing the /usr/bin/setfile command to execute the injected payload.
Recommendations Update exiftool to version 13.50 or later. As a temporary workaround, avoid using the -n flag and the -tagsFromFile feature when processing images from untrusted sources to prevent the vulnerable code path from being triggered.

Exploit

Fix

RCE

LPE

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-3102

Affected Products

Exiftool