Home

Description

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

PUBLISHED Reserved 2026-02-24 | Published 2026-02-24 | Updated 2026-02-24 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

OS Command Injection

Command Injection

Timeline

2026-02-24:Advisory disclosed
2026-02-24:VulDB entry created
2026-02-24:VulDB entry last update

Credits

owl4444 (VulDB User) reporter

References

vuldb.com/?id.347528 (VDB-347528 | exiftool PNG File MacOS.pm SetMacOSTags os command injection) vdb-entry technical-description

vuldb.com/?ctiid.347528 (VDB-347528 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.758146 (Submit #758146 | Exiftool 13.49 Arbitrary Code Execution) third-party-advisory

www.youtube.com/watch?v=akk0vmilfb4 media-coverage

github.com/...ommit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7 patch

github.com/exiftool/exiftool/releases/tag/13.50 patch

github.com/exiftool/exiftool/ product

cve.org (CVE-2026-3102)

nvd.nist.gov (CVE-2026-3102)

Download JSON