Exploiting ExifTool’s macOS Command Injection Blind Spot (CVE-2026–3102)

A JPEG should never execute shell commands.

Yet on macOS, ExifTool versions up to 13.49 allowed attacker-controlled metadata to flow into a shell execution path through a vulnerable macOS-specific code path.

The result: a crafted image file capable of triggering arbitrary command execution during metadata processing.

We are going to witness how malicious actors can embed commands in a simple JPEG file, causing command injection. This walkthrough is a discussion and understanding proof-of-concept for CVE-2026–3102.

Here is a free link to this article.

1. What is ExifTool?

ExifTool is deeply embedded across modern workflows.

It powers asset pipelines, forensic tooling, content management systems, photo-processing software, and developer automation. If a system processes image metadata, there is a good chance ExifTool exists somewhere in that chain.

And on macOS, versions up to 13.49 had a command injection vulnerability hidden…