CVE-2026-43893

High

Published: 11 May 2026

Published

11 May 2026

Modified

11 May 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0011 28.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43893 is a high-severity Argument Injection (CWE-88) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without…

rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters. Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated. This vulnerability is fixed in 35.19.0.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-88

References

https://github.com/photostructure/exiftool-vendored.js/security/advisories/GHSA-cw26-7653-2rp5
security-advisories@github.com