ExifTool
Moderate fix1 remedy
cpe:2.3:a:exiftool_project:exiftool:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 13.53
Exiftool Code Injection Vulnerability in JPEG/QuickTime/MOV/MP4 Processing
Vulnerability
Patched
A code injection vulnerability has been identified in Exiftool versions prior to 13.54. The issue arises in the Process_mrld function within the lib/Image/ExifTool/GM.pm file, specifically when handling JPEG/QuickTime/MOV/MP4 files. The vulnerability allows for local code execution by manipulating the '-ee' argument. Exploitation requires local access to the application.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the local machine.
Reproduction
To reproduce this vulnerability, use Exiftool version 13.53 or earlier. Run Exiftool with the '-ee' argument while processing a JPEG file that contains timed metadata, such as a QuickTime or MOV file from a DJI camera. The application will execute the injected code, demonstrating the code execution vulnerability.
Remediation
Users are advised to upgrade to Exiftool version 13.54 or later, where this vulnerability has been patched.
Added: May 1, 2026, 12:22 PM
Updated: May 1, 2026, 12:22 PM
Vulnerability Rating
Custom Algorithm
spread
6.6impact
10.0exploitability
4.6remediation
7.7relevance
7.2threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.