CVE-2026-3102

low-risk

Published 2026-02-24

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

Do I need to act?

0.23% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Exiftool

Affected Vendors

Exiftool Project

References (7)

Product https://github.com/exiftool/exiftool/

Patch https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd...

Release Notes https://github.com/exiftool/exiftool/releases/tag/13.50

Permissions Required https://vuldb.com/?ctiid.347528

Third Party Advisory https://vuldb.com/?id.347528

Exploit https://vuldb.com/?submit.758146

Exploit https://www.youtube.com/watch?v=akk0vmilfb4

/ 100

low-risk

Severity 23/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal