CVE-2026-3102
exiftool PNG File MacOS.pm SetMacOSTags os command injection
CVSS Score
6.3
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.
| CWE | CWE-78 CWE-77 |
| Vendor | n/a |
| Product | exiftool |
| Published | Feb 24, 2026 |
| Last Updated | Feb 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for n/a exiftool
Be the first to know when new medium vulnerabilities affecting n/a exiftool are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
n/a / exiftool
13.0 13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8 13.9 13.10 13.11 13.12 13.13 13.14 13.15 13.16 13.17 13.18 13.19 13.20 13.21 13.22 13.23 13.24 13.25 13.26 13.27 13.28 13.29 13.30 13.31 13.32 13.33 13.34 13.35 13.36 13.37 13.38 13.39 13.40 13.41 13.42 13.43 13.44 13.45 13.46 13.47 13.48 13.49
References
vuldb.com: https://vuldb.com/?id.347528 vuldb.com: https://vuldb.com/?ctiid.347528 vuldb.com: https://vuldb.com/?submit.758146 youtube.com: https://www.youtube.com/watch?v=akk0vmilfb4 github.com: https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7 github.com: https://github.com/exiftool/exiftool/releases/tag/13.50 github.com: https://github.com/exiftool/exiftool/
Credits
๐ owl4444 (VulDB User)