Description
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.
Published: 2026-02-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in exiftool’s SetMacOSTags function within the PNG File Parser. By manipulating the DateTimeOriginal argument, an attacker can inject operating system commands, enabling arbitrary command execution on the host. This flaw permits the execution of shell commands through the exiftool process, compromising the confidentiality, integrity, and availability of the affected system.

Affected Systems

Exiftool versions up to and including 13.49 on macOS are affected. The flaw is specifically located in the lib/Image/ExifTool/MacOS.pm component of the PNG File Parser. Upgrading to exiftool 13.50 or later resolves the issue. The affected operating system is macOS, as indicated by the component’s name and the associated CPE.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, reflecting a moderate risk level, and an EPSS score of less than 1%, indicating a low probability of widespread exploitation. It is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, based on the description that the exploit can be carried out remotely and that it has been publicly disclosed. The weakness involves OS command injection, a classic example of CWE-77 and CWE‑78. While the exploitation probability is currently low, the impact of remote command execution warrants prompt attention.

Generated by OpenCVE AI on April 16, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade exiftool to version 13.50 or later to apply the published patch e9609a9bcc0d32bd252a709a562fb822d6dd86f7.
  • Validate and sanitize the DateTimeOriginal input before it is passed to the SetMacOSTags routine to prevent command injection.
  • Monitor macOS systems for unexpected shell activity or anomalous process creation linked to exiftool usage, and investigate any irregularities immediately.

Generated by OpenCVE AI on April 16, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:a:exiftool_project:exiftool:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Exiftool Project
Exiftool Project exiftool
Vendors & Products Exiftool Project
Exiftool Project exiftool

Tue, 24 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.
Title exiftool PNG File MacOS.pm SetMacOSTags os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Apple Macos
Exiftool Project Exiftool
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-27T19:01:01.682Z

Reserved: 2026-02-24T09:53:41.654Z

Link: CVE-2026-3102

cve-icon Vulnrichment

Updated: 2026-02-27T19:00:54.635Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T15:21:41.317

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses