CVE-2026-3102
HIGH WAF: High
CVSS 8.8
Published: 2026-02-24
CWE-77 CWE-78 CWE-78
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.
WAF Coverage Analysis
Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| exiftool_project | exiftool | up to 13.50 |
References
- github.com (Product)
- github.com (Patch)
- github.com (Release Notes)
- vuldb.com (Permissions Required)
- vuldb.com (Third Party Advisory, VDB Entry)
- vuldb.com (Exploit, Third Party Advisory, VDB Entry)
- www.youtube.com (Exploit)