PT-2026-37303 · Unknown · Exiftool-Vendored

Dobby153

·

Published

2026-05-05

·

Updated

2026-05-11

·

CVE-2026-43893

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Name of the Vulnerable Software and Affected Versions exiftool-vendored versions prior to 35.19.0
Description Certain strings provided by the caller are interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return within these strings can split a single intended argument into multiple arguments, leading to argument injection. This occurs because the software starts ExifTool in a mode where arguments are read from stdin one per line. This issue allows an attacker to force ExifTool to read files accessible to the process or write output to attacker-chosen file system paths. The issue specifically affects tag-name arguments (tag keys), filename or path arguments, and the imageHashType option. Affected functions include ExifTool#write(), ExifTool#read(), ExifTool#readRaw(), ExifTool#deleteAllTags(), ExifTool#rewriteAllTags(), ExifTool#extractBinaryTag(), ExifTool#extractBinaryTagToBuffer(), ExifTool#extractJpgFromRaw(), ExifTool#extractPreview(), and ExifTool#extractThumbnail().
Recommendations Update to version 35.19.0 or later. As a temporary workaround, reject untrusted strings containing control characters before passing them to the affected APIs, specifically for tag names, retain or numericTags entries, binary-extraction tag names, filenames, and the imageHashType option.

Fix

RCE

Argument Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43893
GHSA-CW26-7653-2RP5

Affected Products

Exiftool-Vendored