CVE-2026-3102
Received Received - Intake
OS Command Injection in exiftool PNG Parser via DateTimeOriginal

Publication date: 2026-02-24

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3102
EUVD
EUVD-2026-8471
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
exiftool_project exiftool to 13.50 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3102 is a critical OS command injection vulnerability found in ExifTool versions up to 13.49 on macOS. It specifically affects the function SetMacOSTags within the file lib/Image/ExifTool/MacOS.pm, part of the PNG File Parser component. The vulnerability arises from improper handling of the DateTimeOriginal argument, which can be manipulated with crafted input to inject arbitrary OS commands.

An attacker can craft an image file (such as PNG or JPG) with a malicious DateTimeOriginal metadata tag containing shell command injection payloads. When ExifTool processes this tag, it executes the injected commands via the macOS /usr/bin/setfile utility, leading to arbitrary command execution.

This attack can be carried out remotely and requires only user interaction. A public proof-of-concept exploit is available, making the vulnerability easily exploitable.

Upgrading to ExifTool version 13.50, which includes a patch for this issue, is recommended to mitigate the risk.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary OS commands on affected macOS systems without authentication, by exploiting the DateTimeOriginal metadata tag in image files.

Successful exploitation can compromise the confidentiality, integrity, and availability of the system. Attackers could execute malicious commands, create files, or spawn reverse shells to take control of the system.

Because the exploit requires only user interaction and is publicly disclosed, the risk of attack is significant if the vulnerable ExifTool version is used.

Upgrading to version 13.50 eliminates this risk by applying a security patch.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the command injection via crafted image files with malicious DateTimeOriginal metadata tags. A proof-of-concept (PoC) involves using ExifTool commands to inject and trigger the payload.'}, {'type': 'paragraph', 'content': 'A sample detection method includes creating a minimal PNG file with a malicious DateTimeOriginal tag containing shell command injection payloads, then using ExifTool to process this file and observe if arbitrary commands execute.'}, {'type': 'paragraph', 'content': 'An example command sequence from the PoC is:'}, {'type': 'list_item', 'content': 'Create a minimal 1x1 transparent PNG file.'}, {'type': 'list_item', 'content': "Inject the payload into the DateTimeOriginal tag, e.g., setting it to a value like `2026:02:07'$(touch /tmp/exiftool_poc)'`."}, {'type': 'list_item', 'content': "Use ExifTool's `-tagsFromFile` option to copy DateTimeOriginal to FileCreateDate, triggering the vulnerable code path."}, {'type': 'paragraph', 'content': 'If successful, this will create a file `/tmp/exiftool_poc` on the system, indicating the vulnerability is present.'}] [6]

Mitigation Strategies

The primary and recommended mitigation step is to upgrade ExifTool to version 13.50 or later, which includes a patch that fixes this vulnerability.

Avoid processing untrusted or suspicious image files containing metadata that could exploit this vulnerability, especially on macOS systems.

Apply the patch identified by commit e9609a9bcc0d32bd252a709a562fb822d6dd86f7 from the ExifTool GitHub repository if upgrading immediately is not possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3102. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart