Description
A vulnerability was detected in Exiftool up to 13.53. Impacted is the function Process_mrld of the file lib/Image/ExifTool/GM.pm of the component JPEG/QuickTime/MOV/MP4. The manipulation of the argument -ee results in code injection. Attacking locally is a requirement. Upgrading to version 13.54 is recommended to address this issue. The patch is identified as 5a8b6b6ead12b39e3f32f978a4efd0233facbb01. It is suggested to upgrade the affected component. The fix in the source code mentions: "[J]ust to be safe, probably never happen".
Published: 2026-05-01
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Exiftool, affecting versions 13.53 and earlier. The Process_mrld routine in GM.pm processes the –ee parameter unsafely, allowing an attacker who can run Exiftool locally to inject arbitrary code. This code injection can lead to local execution of attacker supplied commands, enabling privilege escalation or full system compromise. The flaw is classified as CWE‑74 and CWE‑94.

Affected Systems

Targeted systems are those running Exiftool for JPEG/QuickTime/MOV/MP4 media processing. All installations of Exiftool up to version 13.53, inclusive, are vulnerable. The patch was introduced in commit 5a8b6b6ead12b39e3f32f978a4efd0233facbb01 and is incorporated in version 13.54.

Risk and Exploitability

The CVSS score of 4.8 reflects a moderate severity assessment, and no EPSS value is available, indicating limited data on current exploitation patterns. Since the vulnerability requires a local attacker with some degree of user privileges, the attack vector is local execution rather than remote. The vulnerability is not listed in the CISA KEV catalog, further suggesting it has not been observed in the wild at large. Nonetheless, any system that permits local users to invoke Exiftool with untrusted input should treat the flaw as a potential threat.

Generated by OpenCVE AI on May 1, 2026 at 23:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Exiftool package to version 13.54 or later, which contains the security fix for the code injection vulnerability.
  • Ensure that Exiftool runs with the minimum set of privileges required for media processing, such as limiting execution to a dedicated user or container, to contain the impact of any potential local code execution.
  • If the –ee option is not needed for your use case, configure Exiftool or your scripts to avoid passing the –ee parameter, or enforce strict input validation before invoking Exiftool.

Generated by OpenCVE AI on May 1, 2026 at 23:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Exiftool up to 13.53. Impacted is the function Process_mrld of the file lib/Image/ExifTool/GM.pm of the component JPEG/QuickTime/MOV/MP4. The manipulation of the argument -ee results in code injection. Attacking locally is a requirement. Upgrading to version 13.54 is recommended to address this issue. The patch is identified as 5a8b6b6ead12b39e3f32f978a4efd0233facbb01. It is suggested to upgrade the affected component. The fix in the source code mentions: "[J]ust to be safe, probably never happen".
Title Exiftool JPEG/QuickTime/MOV/MP4 GM.pm Process_mrld code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T19:29:43.526Z

Reserved: 2026-05-01T06:20:12.971Z

Link: CVE-2026-7580

cve-icon Vulnrichment

Updated: 2026-05-01T14:52:50.353Z

cve-icon NVD

Status : Deferred

Published: 2026-05-01T12:16:17.257

Modified: 2026-05-01T15:26:24.553

Link: CVE-2026-7580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses