CVE-2026-3102
LOW EPSS 87.4%
Published Feb 24, 20264mo ago · Modified Apr 29, 20262mo ago
2.1 CVSS 4.0
Published Feb 24, 2026 4mo ago
Last Modified Apr 29, 2026 2mo ago
Description
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X
Threat Intelligence
EPSS Exploit Probability
87.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-77 Command Injection Injection
CWE-78 OS Command Injection Injection
Affected Products 2
| Vendor | Product | Version | Range |
|---|---|---|---|
| exiftool_project | exiftool | * | <13.50 |
| apple | macos | * | any |
References 7
- github.com https://github.com/exiftool/exiftool/
- github.com https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7
- github.com https://github.com/exiftool/exiftool/releases/tag/13.50
- vuldb.com https://vuldb.com/?ctiid.347528
- vuldb.com https://vuldb.com/?id.347528
- vuldb.com https://vuldb.com/?submit.758146
- youtube.com https://www.youtube.com/watch?v=akk0vmilfb4
Remediation
- github.com https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7