CVE-2026-3102 is an OS command injection vulnerability identified in the exiftool utility, specifically affecting versions 13.0 through 13.49 on macOS platforms. The vulnerability resides in the SetMacOSTags function of the PNG File Parser module (lib/Image/ExifTool/MacOS.pm). This function improperly handles the DateTimeOriginal argument, allowing an attacker to inject arbitrary OS commands. Because exiftool processes metadata from image files, an attacker can craft a malicious PNG file with a manipulated DateTimeOriginal tag to trigger command injection when the file is parsed. The attack vector is remote, as the malicious file can be delivered over a network or via user download. Exploitation requires no privileges or authentication but does require user interaction to process the malicious file. The vulnerability impacts confidentiality, integrity, and availability by enabling arbitrary command execution on the victim system. The issue has been publicly disclosed, increasing the risk of exploitation, although no active exploits have been reported yet. The vendor has addressed the vulnerability in exiftool version 13.50, which includes a patch that properly sanitizes the DateTimeOriginal input to prevent command injection. Users are strongly advised to upgrade to this version or later to mitigate the risk.

The vulnerability allows remote attackers to execute arbitrary OS commands on affected macOS systems running vulnerable exiftool versions. This can lead to full system compromise, including unauthorized data access, data modification, or disruption of services. Since exiftool is widely used for metadata extraction and manipulation in various applications and workflows, especially in media processing and digital forensics, exploitation could impact numerous organizations. Attackers could leverage this flaw to deploy malware, establish persistence, or pivot within networks. The requirement for user interaction (processing a crafted PNG file) limits automated exploitation but does not eliminate risk, especially in environments where untrusted images are handled. The broad range of affected versions indicates a long-standing exposure, increasing the likelihood of targeted attacks once exploit code becomes available. The medium CVSS score reflects moderate ease of exploitation combined with significant potential impact on system security.

1. Upgrade exiftool to version 13.50 or later immediately to apply the official patch that addresses the command injection vulnerability. 2. Implement strict input validation and sanitization for image metadata processing, especially when handling untrusted or external files. 3. Employ application whitelisting and sandboxing techniques to limit the execution context of exiftool, reducing the impact of potential exploitation. 4. Monitor systems for unusual process executions or command-line activity related to exiftool usage. 5. Educate users and administrators about the risks of processing untrusted image files and enforce policies restricting such activities. 6. Where possible, isolate systems that perform metadata extraction from critical network segments to contain potential breaches. 7. Review and update incident response plans to include scenarios involving metadata processing vulnerabilities.