ExifTool version 13.49 and earlier contains a critical command injection vulnerability, CVE-2026-3102, which allows attackers to execute arbitrary shell commands on macOS systems through malicious image file metadata.

Key Points

• The vulnerability exists in the SetMacOSTags function, where unsanitized user input is passed to a system command sink.
• Attackers can trigger the flaw by using the -tagsFromFile feature to copy metadata into the FileCreateDate tag.
• Exploitation requires the -n flag to bypass standard date-time formatting filters, allowing for the injection of malicious shell commands.
• Developers patched the issue in ExifTool version 13.50 by replacing dangerous string concatenation with secure, list-based system calls.
• Users are advised to update to version 13.50 or later to prevent potential system compromise and unauthorized code execution.

Why it Matters

This vulnerability poses a significant risk to organizations that process images on macOS, as a seemingly benign file can be used to gain unauthorized control over a system. By moving to list-based API calls, the patch demonstrates a critical security best practice for preventing command injection in software that interacts with underlying operating system utilities.