CVE-2026-43893
Received Received - Intake
Argument Injection in exiftool-vendored

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters. Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated. This vulnerability is fixed in 35.19.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43893
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
exiftool-vendored exiftool to 35.19.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in exiftool-vendored versions prior to 35.19.0, which provides Node.js access to ExifTool. In these affected versions, certain user-supplied strings were inserted into ExifTool command arguments without properly rejecting line delimiters such as newlines or carriage returns. This flaw allows an attacker to inject additional arguments into the ExifTool command by splitting a single intended argument into multiple ones. Additionally, unsafe control characters like NUL bytes were not rejected. This can lead to ExifTool reading or writing files that the attacker chooses, potentially accessing files accessible to the ExifTool process.

The vulnerability does not allow remote code execution, and it was fixed in version 35.19.0 by rejecting unsafe characters and preventing argument injection.

Impact Analysis

If an application uses a vulnerable version of exiftool-vendored and passes attacker-controlled strings to its APIs, an attacker could exploit this vulnerability to make ExifTool read arbitrary files accessible to its process or write output to files chosen by the attacker.

This could lead to unauthorized disclosure of sensitive information or modification of files within the permissions of the ExifTool process. However, no remote code execution has been demonstrated.

Mitigation Strategies

To mitigate this vulnerability, update exiftool-vendored to version 35.19.0 or later, where the issue is fixed.

Avoid passing attacker-controlled strings to the affected APIs that start ExifTool with the vulnerable argument interpolation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart