Exiftool Project Exiftool vulnerabilities

CVE-2026-3102 [LOW] CWE-77 CVE-2026-3102: A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function Set A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed an

CVE-2022-23935 [HIGH] CWE-78 CVE-2022-23935: lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.

CVE-2021-22204 [HIGH] CWE-94 CVE-2021-22204: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

CVE-2018-20211 [HIGH] CWE-427 CVE-2018-20211: ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\par-%username%\cache-exifto ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\par-%username%\cache-exiftool-8.32 folder with a victim's username, and then copying a Trojan horse ws32_32.dll file into this new folder, aka DLL Hijacking. NOTE: 8.32 is an obsolete version from 2010 (9.x was released starting in 2012, and 10.x was released starting in 2015).