CVE-2026-3102

MediumPublic PoC

Published: 24 February 2026

Published

24 February 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Score 0.0026 49.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3102 is a medium-severity Command Injection (CWE-77) vulnerability in Exiftool Project Exiftool. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the OS command injection flaw in ExifTool by applying the patch to version 13.50.

SI-10 Information Input Validation partial match

prevent

Addresses command injection by enforcing validation and sanitization of inputs like the manipulated DateTimeOriginal argument in the PNG parser.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify the presence of CVE-2026-3102 in ExifTool installations for prompt patching.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of ExifTool via crafted PNG file for client-side code execution (T1203) and arbitrary OS command injection on macOS, facilitating Unix Shell usage (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is…

possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

Deeper analysisAI

CVE-2026-3102 is an OS command injection vulnerability affecting ExifTool versions up to 13.49 on macOS. The issue resides in the SetMacOSTags function within the lib/Image/ExifTool/MacOS.pm module of the PNG File Parser component. It is triggered by manipulation of the DateTimeOriginal argument, leading to command injection (CWE-77, CWE-78). The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

The attack can be carried out remotely by an unauthenticated attacker with network access who tricks a user into processing a specially crafted PNG file using the vulnerable ExifTool version. User interaction is required, such as opening or parsing the malicious file. Successful exploitation allows limited impact on confidentiality, integrity, and availability, enabling arbitrary OS command execution on the target's macOS system.

Mitigation is addressed by upgrading to ExifTool version 13.50, which includes the fixing commit e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended, as detailed in the official GitHub repository, release notes, and commit history.

The exploit has been publicly disclosed and may be utilized, with further details available via VulDB entries.

Details

CWE(s): CWE-77 CWE-78

Affected Products

exiftool project

exiftool

≤ 13.50

CVEs Like This One

CVE-2025-43253Same product: Apple Macos

CVE-2025-24150Same product: Apple Macos

CVE-2026-33874Same product: Apple Macos

CVE-2026-39870Same product: Apple Macos

CVE-2026-25157Same product: Apple Macos

CVE-2026-27487Same product: Apple Macos

CVE-2025-30452Same product: Apple Macos

CVE-2025-43184Same product: Apple Macos

CVE-2025-43219Same product: Apple Macos

CVE-2025-43264Same product: Apple Macos

References

https://github.com/exiftool/exiftool/
Product · cna@vuldb.com
https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7
Patch · cna@vuldb.com
https://github.com/exiftool/exiftool/releases/tag/13.50
Release Notes · cna@vuldb.com
https://vuldb.com/?ctiid.347528
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.347528
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.758146
Exploit, Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.youtube.com/watch?v=akk0vmilfb4
Exploit · cna@vuldb.com