cbcvebase.
CVE-2026-3102
published 2026-02-24

CVE-2026-3102: A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the…

PriorityP260high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
3.41%
87.4th percentile
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

Affected

52 ranges· showing 25
VendorProductVersion rangeFixed in
debianlibimage-exiftool-perl
exiftool_projectexiftool< 13.5013.50
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool
exiftool_projectexiftool

Detection & IOCsextracted from sources · hover to see the quote

hashe9609a9bcc0d32bd252a709a562fb822d6dd86f7
pathlib/Image/ExifTool/MacOS.pm
  • Monitor invocations of ExifTool (versions ≤ 13.49 on macOS) processing PNG files where the DateTimeOriginal / FileCreateDate metadata field contains shell metacharacters or command-injection payloads — these are passed unsanitized to system() via SetMacOSTags in lib/Image/ExifTool/MacOS.pm.
  • Alert on ExifTool spawning unexpected child processes (e.g. shells or network utilities) from within the SetMacOSTags code path, which calls system() with unsanitized $val derived from MDItemFSCreationDate / $FileCreateDate.
  • Treat any image file (especially PNG) received from untrusted sources (freelancers, contractors, BYOD) as a potential exploit carrier; isolate ExifTool processing of such files in sandboxed/VM environments with restricted network and storage access.
  • ·The vulnerability is macOS-specific; the SetMacOSTags sink and the system() call it triggers are only exercised on macOS hosts. Linux/Windows ExifTool deployments are not affected by this particular code path.
  • ·Exploitation requires ExifTool to process a crafted file with a malicious DateTimeOriginal value; the attacker-controlled value flows through $FileCreateDate → $val into system(). Detection rules should focus on the metadata field value, not just the file type.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian5.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.