PT-2026-21764 · Exiftool · Exiftool
Owl4444
·
Published
2026-02-24
·
Updated
2026-05-25
·
CVE-2026-3102
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
exiftool versions prior to 13.50
Description
An OS command injection issue exists in the PNG File Parser component of exiftool on macOS. The flaw is located in the
SetMacOSTags() function within the lib/Image/ExifTool/MacOS.pm file. A remote attacker can achieve arbitrary code execution with user privileges by embedding shell commands in the EXIF DateTimeOriginal metadata of a malicious image. The attack is triggered when the unsanitized $val parameter is passed to a system() call during the processing of the DateTimeOriginal tag, specifically when using the -n (raw output mode) flag and the -tagsFromFile feature to copy data to the FileCreateDate tag. This process bypasses the PrintConvInv filter validation, allowing the /usr/bin/setfile command to execute the injected payload.Recommendations
Update exiftool to version 13.50 or later.
As a temporary workaround, avoid using the
-n flag and the -tagsFromFile feature when processing images from untrusted sources to prevent the vulnerable code path from being triggered.Exploit
Fix
RCE
LPE
OS Command Injection
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Exiftool