CVE-2026-3102 — Command Injection in Project Exiftool

CWE-77 — Command Injection CWE-78 — OS Command Injection4 documents4 sources

Severity

2.1LOWNVD

EPSS

0.2%

top 54.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Exiftool Project Exiftool Debian Libimage-exiftool-perl

Timeline

PublishedFeb 24

Description

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrad…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

▶debiandebian/libimage-exiftool-perl

▶NVDexiftool_project/exiftool< 13.50

▶CVEListV5exiftool_project/exiftool50 versions+49

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-mr6q-w873-6jfr: A vulnerability was determined in exiftool up to 13↗2026-02-24

▶

📋Vendor Advisories

Debian

CVE-2026-3102: libimage-exiftool-perl - A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affe...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-3102 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶