CVE-2026-3102
OS Command Injection in exiftool PNG Parser via DateTimeOriginal
Publication date: 2026-02-24
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| exiftool_project | exiftool | to 13.50 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3102 is a critical OS command injection vulnerability found in ExifTool versions up to 13.49 on macOS. It specifically affects the function SetMacOSTags within the file lib/Image/ExifTool/MacOS.pm, part of the PNG File Parser component. The vulnerability arises from improper handling of the DateTimeOriginal argument, which can be manipulated with crafted input to inject arbitrary OS commands.
An attacker can craft an image file (such as PNG or JPG) with a malicious DateTimeOriginal metadata tag containing shell command injection payloads. When ExifTool processes this tag, it executes the injected commands via the macOS /usr/bin/setfile utility, leading to arbitrary command execution.
This attack can be carried out remotely and requires only user interaction. A public proof-of-concept exploit is available, making the vulnerability easily exploitable.
Upgrading to ExifTool version 13.50, which includes a patch for this issue, is recommended to mitigate the risk.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary OS commands on affected macOS systems without authentication, by exploiting the DateTimeOriginal metadata tag in image files.
Successful exploitation can compromise the confidentiality, integrity, and availability of the system. Attackers could execute malicious commands, create files, or spawn reverse shells to take control of the system.
Because the exploit requires only user interaction and is publicly disclosed, the risk of attack is significant if the vulnerable ExifTool version is used.
Upgrading to version 13.50 eliminates this risk by applying a security patch.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the command injection via crafted image files with malicious DateTimeOriginal metadata tags. A proof-of-concept (PoC) involves using ExifTool commands to inject and trigger the payload.'}, {'type': 'paragraph', 'content': 'A sample detection method includes creating a minimal PNG file with a malicious DateTimeOriginal tag containing shell command injection payloads, then using ExifTool to process this file and observe if arbitrary commands execute.'}, {'type': 'paragraph', 'content': 'An example command sequence from the PoC is:'}, {'type': 'list_item', 'content': 'Create a minimal 1x1 transparent PNG file.'}, {'type': 'list_item', 'content': "Inject the payload into the DateTimeOriginal tag, e.g., setting it to a value like `2026:02:07'$(touch /tmp/exiftool_poc)'`."}, {'type': 'list_item', 'content': "Use ExifTool's `-tagsFromFile` option to copy DateTimeOriginal to FileCreateDate, triggering the vulnerable code path."}, {'type': 'paragraph', 'content': 'If successful, this will create a file `/tmp/exiftool_poc` on the system, indicating the vulnerability is present.'}] [6]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade ExifTool to version 13.50 or later, which includes a patch that fixes this vulnerability.
Avoid processing untrusted or suspicious image files containing metadata that could exploit this vulnerability, especially on macOS systems.
Apply the patch identified by commit e9609a9bcc0d32bd252a709a562fb822d6dd86f7 from the ExifTool GitHub repository if upgrading immediately is not possible.