CVE-2026-3102

MEDIUM

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

CVSS v3.1 Score

6.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
NETWORK
Complexity
LOW
Privileges
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Published: 2/24/2026Modified: 4/29/2026

Related Intelligence (1)

CRITICALZero Day

How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102)

We explain how a flaw in ExifTool allows attackers to compromise macOS systems via a malicious image (CVE-2026-3102).

CVE-2026-3102
Securelist (Kaspersky)

References (7)

https://github.com/exiftool/exiftool/Producthttps://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7Patchhttps://github.com/exiftool/exiftool/releases/tag/13.50Release Noteshttps://vuldb.com/?ctiid.347528Permissions Requiredhttps://vuldb.com/?id.347528Third Party AdvisoryVDB Entryhttps://vuldb.com/?submit.758146ExploitThird Party Advisoryhttps://www.youtube.com/watch?v=akk0vmilfb4Exploit