← Back

Exiftool Project

exiftool_project

4 CVEs • 1 product

Products (1)

Click to collapse
Toggle
Exiftool
exiftool
4 CVEs

CVEs (4)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2026-3102
1Exiftool Project
1Exiftool
Apr 29, 2026
Feb 24, 2026
2.1 LOW· v4
8.8 HIGH· v3
7.5 HIGH· v2
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument Da...Show more
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.Show less
CVE-2022-23935
1Exiftool Project
1Exiftool
Nov 21, 2024
Jan 25, 2022
N/A· v4
7.8 HIGH· v3
7.6 HIGH· v2
lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.
CVE-2021-22204
3Debian
Exiftool ProjectFedoraproject
3Debian Linux
ExiftoolFedora
Nov 3, 2025
Apr 23, 2021
N/A· v4
7.8 HIGH· v3
6.8 MEDIUM· v2
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
CVE-2018-20211
1Exiftool Project
1Exiftool
Nov 21, 2024
Jan 2, 2019
N/A· v4
7.8 HIGH· v3
6.8 MEDIUM· v2
ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\par-%username%\cache-exiftool-8.32 folder with a victim's username, and then copying a Trojan horse ws32_32.dll file into this new folder, aka DLL...Show more
ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\par-%username%\cache-exiftool-8.32 folder with a victim's username, and then copying a Trojan horse ws32_32.dll file into this new folder, aka DLL Hijacking. NOTE: 8.32 is an obsolete version from 2010 (9.x was released starting in 2012, and 10.x was released starting in 2015).Show less