CVE-2026-3102

LOW EPSS 87.4%
Published Feb 24, 20264mo ago · Modified Apr 29, 20262mo ago
2.1 CVSS 4.0
Low
Find Similar
Published Feb 24, 2026 4mo ago
Last Modified Apr 29, 2026 2mo ago

Description

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
87.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-77 Command Injection Injection
CWE-78 OS Command Injection Injection

Affected Products 2

VendorProductVersionRange
exiftool_projectexiftool* <13.50
applemacos*any

References 7

  • github.com https://github.com/exiftool/exiftool/
    Product
  • github.com https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7
    Patch
  • github.com https://github.com/exiftool/exiftool/releases/tag/13.50
    Release Notes
  • vuldb.com https://vuldb.com/?ctiid.347528
    Permissions Required
  • vuldb.com https://vuldb.com/?id.347528
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.758146
    ExploitThird Party AdvisoryVDB Entry
  • youtube.com https://www.youtube.com/watch?v=akk0vmilfb4
    Exploit

Remediation

  • github.com https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7
    Patch