CVE-2026-3102

MediumPublic PoC

Published: 24 February 2026

Published

24 February 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Score 0.0026 49.4th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is…

possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the OS command injection flaw in ExifTool by applying the patch to version 13.50.

SI-10 Information Input Validation partial match

prevent

Addresses command injection by enforcing validation and sanitization of inputs like the manipulated DateTimeOriginal argument in the PNG parser.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify the presence of CVE-2026-3102 in ExifTool installations for prompt patching.

Security SummaryAI

CVE-2026-3102 is an OS command injection vulnerability affecting ExifTool versions up to 13.49 on macOS. The issue resides in the SetMacOSTags function within the lib/Image/ExifTool/MacOS.pm module of the PNG File Parser component. It is triggered by manipulation of the DateTimeOriginal argument, leading to command injection (CWE-77, CWE-78). The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

The attack can be carried out remotely by an unauthenticated attacker with network access who tricks a user into processing a specially crafted PNG file using the vulnerable ExifTool version. User interaction is required, such as opening or parsing the malicious file. Successful exploitation allows limited impact on confidentiality, integrity, and availability, enabling arbitrary OS command execution on the target's macOS system.

Mitigation is addressed by upgrading to ExifTool version 13.50, which includes the fixing commit e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended, as detailed in the official GitHub repository, release notes, and commit history.

The exploit has been publicly disclosed and may be utilized, with further details available via VulDB entries.

Details

CWE(s): CWE-77 CWE-78

Affected Products

exiftool project

exiftool

≤ 13.50

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of ExifTool via crafted PNG file for client-side code execution (T1203) and arbitrary OS command injection on macOS, facilitating Unix Shell usage (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/exiftool/exiftool/
Product · cna@vuldb.com
https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7
Patch · cna@vuldb.com
https://github.com/exiftool/exiftool/releases/tag/13.50
Release Notes · cna@vuldb.com
https://vuldb.com/?ctiid.347528
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.347528
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.758146
Exploit, Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.youtube.com/watch?v=akk0vmilfb4
Exploit · cna@vuldb.com