CVE-2026-3102

Name of the Vulnerable Software and Affected Versions exiftool versions prior to 13.50

Description A remote OS command injection issue exists in the PNG File Parser component on macOS. The flaw resides in the SetMacOSTags() function within the lib/Image/ExifTool/MacOS.pm file, specifically due to an unsanitized $val parameter used in a system() call. An attacker can execute arbitrary shell commands with user privileges by embedding a payload in the DateTimeOriginal metadata tag of a malicious image and copying it to the FileCreateDate tag. This exploitation requires the use of the -n flag (raw output mode) and the -tagsFromFile feature, which allows the payload to bypass the PrintConvInv filter validation. This issue is particularly significant as the software is widely used in automated media, forensic, and asset-management workflows.

Recommendations Update exiftool to version 13.50 or later. As a temporary workaround, avoid using the -n and -tagsFromFile flags when processing images from untrusted sources.