How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102)

This report analyzes CVE-2026-3102, a command-injection vulnerability in ExifTool (<=13.49) on macOS that arises from unsanitized FileCreateDate metadata when copying tags with -tagsFromFile combined with the -n flag. The author shows how an attacker can store a payload in a writable EXIF tag (e.g., DateTimeOriginal), bypass formatting filters with -n, copy it into FileCreateDate to trigger a system() sink, and execute arbitrary commands as the invoking user; the issue is fixed in ExifTool 13.50 by replacing string-based system calls with an argument-list wrapper.