ExifTool
Moderate fix1 remedy
cpe:2.3:a:exiftool_project:exiftool:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 13.49
ExifTool OS Command Injection Vulnerability in PNG File Parser on macOS
Vulnerability
Patched
A command injection vulnerability has been identified in ExifTool versions up to 13.49 on macOS. The issue arises in the PNG file parser within the 'SetMacOSTags' function of 'lib/Image/ExifTool/MacOS.pm'. Manipulating the 'DateTimeOriginal' argument leads to unauthorized command execution on the operating system. This vulnerability can be exploited remotely and has been publicly disclosed, with an available exploit. The issue has been patched in version 13.50.
Impact
Exploitation of this vulnerability allows for arbitrary OS command execution on the affected system.
Reproduction
To reproduce this vulnerability, use ExifTool version 13.49 on macOS. Create a PNG file and embed a payload in the 'DateTimeOriginal' metadata tag. When the file is processed with ExifTool, the payload is executed, leading to command injection. The exploit can be automated with a script that uploads the crafted PNG file and triggers the command execution.
Remediation
Upgrade ExifTool to version 13.50 or later, where this vulnerability has been fixed.
Added: Feb 24, 2026, 3:26 PM
Updated: Feb 24, 2026, 10:20 PM
Vulnerability Rating
Custom Algorithm
spread
6.6impact
7.5exploitability
5.2remediation
7.7relevance
3.1threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.