CVE-2026-3102

6.3 MEDIUM
Published: February 24, 2026 Modified: February 26, 2026
View on NVD

Description

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/exiftool/exiftool/
Source: cna@vuldb.com
Product
https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7
Source: cna@vuldb.com
Patch
https://github.com/exiftool/exiftool/releases/tag/13.50
Source: cna@vuldb.com
Release Notes
https://vuldb.com/?ctiid.347528
Source: cna@vuldb.com
Permissions Required
https://vuldb.com/?id.347528
Source: cna@vuldb.com
Third Party Advisory VDB Entry
https://vuldb.com/?submit.758146
Source: cna@vuldb.com
Exploit Third Party Advisory VDB Entry
https://www.youtube.com/watch?v=akk0vmilfb4
Source: cna@vuldb.com
Exploit

7 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.3 / 10.0
EPSS (Exploit Probability)
0.2%
42th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-77 CWE-78 CWE-78

Affected Vendors

exiftool_project apple

Related CVEs

CVE-2019-25582 6.5
CVE-2019-25581 8.2
CVE-2019-25580 8.2
CVE-2019-25579 7.5
CVE-2019-25578 8.2