CVE-2026-3102 is an OS command injection vulnerability found in the exiftool utility, a widely used metadata extraction and manipulation tool. The flaw resides in the SetMacOSTags function of the lib/Image/ExifTool/MacOS.pm file, specifically within the PNG File Parser component. The vulnerability arises when the DateTimeOriginal argument is manipulated, allowing an attacker to inject and execute arbitrary operating system commands on macOS systems. This occurs because the input is not properly sanitized before being passed to system-level command execution functions. The vulnerability is remotely exploitable without requiring authentication or elevated privileges, but it does require user interaction, such as processing a crafted PNG file containing malicious metadata. The CVSS 4.0 base score is 5.3, reflecting a medium severity level due to the ease of exploitation and potential impact on confidentiality, integrity, and availability, albeit with limited scope and partial impact. The vulnerability was publicly disclosed on February 24, 2026, and a patch was released in exiftool version 13.50 to address the issue by properly sanitizing input and preventing command injection. No known exploits are currently observed in the wild, but the public disclosure increases the risk of exploitation attempts. The vulnerability primarily affects macOS environments where exiftool is used to process PNG images, especially in automated workflows or services that handle untrusted image metadata.

The vulnerability allows remote attackers to execute arbitrary OS commands on affected macOS systems, potentially leading to unauthorized data access, modification, or disruption of service. This can compromise system confidentiality by exposing sensitive information, integrity by altering or corrupting data, and availability by causing system instability or denial of service. Since exiftool is commonly used in digital forensics, media processing, and content management, exploitation could impact organizations relying on automated image metadata processing, including media companies, cybersecurity firms, and cloud service providers. The lack of required privileges or authentication lowers the barrier for attackers, increasing the risk of widespread exploitation if unpatched systems process malicious PNG files. However, the requirement for user interaction (processing crafted files) somewhat limits mass exploitation. The medium severity rating reflects these factors, indicating a significant but not critical threat.

1. Upgrade exiftool to version 13.50 or later immediately to apply the official patch that fixes the command injection vulnerability. 2. Implement strict input validation and sanitization on all image metadata inputs, especially the DateTimeOriginal field, to prevent malicious payloads from reaching vulnerable code paths. 3. Restrict the use of exiftool in automated workflows to trusted sources and avoid processing untrusted or unknown PNG files. 4. Employ application whitelisting and sandboxing techniques on macOS systems running exiftool to limit the impact of potential command execution. 5. Monitor logs and network traffic for unusual activity related to exiftool usage, such as unexpected command executions or file processing anomalies. 6. Educate users and administrators about the risks of processing untrusted image files and enforce policies to minimize exposure. 7. Consider deploying endpoint detection and response (EDR) solutions capable of detecting suspicious command injection attempts or anomalous behavior linked to exiftool.