Flaw in widely used open-source metadata tool allows arbitrary code execution through crafted image files; patch available
Kaspersky's Global Research and Analysis Team, identified a command injection vulnerability (CVE-2026-3102) in ExifTool, a free, open-source tool used worldwide to read and edit metadata in images, videos and PDF files. The flaw, which affects macOS systems running ExifTool version 13.49 and earlier, could allow an attacker to execute arbitrary commands by embedding hidden instructions in an image file's metadata. The project maintainer, Phil Harvey, has patched the vulnerability in ExifTool version 13.50, released Feb. 7.
The vulnerability stems from improper input sanitisation in how ExifTool processes certain metadata tags on macOS. An attacker can craft a malicious PNG containing embedded commands that execute when ExifTool processes the file. The exploit is low-complexity: one command generates the weaponised image, and a second triggers execution on the target system.
Once exploited, the flaw could allow a threat actor to download and run additional malware payloads or collect sensitive information from files — including images and PDFs — stored on the compromised machine.
ExifTool is a free and open source software programme for reading, writing, and manipulating image, audio, video, and PDF metadata. It is commonly incorporated into different types of digital workflows, and is often used in digital forensic analysis and library archival. Typical OSINT pivots include extracting capture dates/locations, identifying editing software, reconciling sidecars, and comparing metadata deltas between versions.
“What makes this vulnerability stand out is the contrast between how simple it is to exploit assuming certain command line is used and how deeply ExifTool is embedded in professional workflows. Anyone running ExifTool on macOS should update to version 13.50, and teams with automated pipelines should verify which version their scripts invoke as well,” said Lucas Tay, security researcher at Kaspersky’s Global Research and Analysis Team.
To mitigate CVE-2026-3102, Kaspersky recommends to update ExifTool to version 13.50 or later. Avoid processing image files from untrusted sources with unpatched versions on macOS. Audit automated workflows and scripts that call ExifTool to confirm they reference the patched version. Organisations that rely on open-source components in their workflows can use Kaspersky's Open Source Software Threats Data Feed to continuously track vulnerabilities across their software supply chain.
