EXIFTOOL’S CVE-2026-3102 vulnerability could allow an attacker on macOS to run arbitrary commands by hiding instructions inside an image’s metadata, affecting ExifTool 13.49 and earlier. Discovered by Kaspersky’s GReAT in February 2026 and patched by the developers in the same month, the flaw relies on a vulnerable path in which unsanitised data reaches the system() sink via the FileCreateDate parameter.
The researchers show that the exploit uses the -n flag to bypass human‑readable date formatting and then copies a crafted DateTimeOriginal tag into FileCreateDate using -tagsFromFile, triggering the dangerous system() call. A single quote injection into the datetime tag can yield a command line execution, with the payload executed through /usr/bin/setfile on macOS when the metadata is processed.
According to Securelist, the fix in version 13.50 replaces string concatenation with a list‑based API call to remove shell interpretation risks, and adds a System() wrapper to centralise command execution. This underlines the security principle of avoiding fragile string handling in favour of secure, argument‑list interfaces.