Code Injection Vulnerability in Exiftool Affects JPEG/QuickTime/MOV/MP4 Components
CVE-2026-7580

4.8MEDIUM

Key Information:

Vendor

Exiftool

Status
Exiftool
Vendor
CVE Published:
1 May 2026

What is CVE-2026-7580?

A code injection vulnerability has been identified in Exiftool, affecting versions up to 13.53. This issue arises in the Process_mrld function within the lib/Image/ExifTool/GM.pm file, specifically through manipulation of the argument -ee. Although local access is a prerequisite for exploitation, it poses a significant risk if exploited. Users are strongly encouraged to upgrade to version 13.54 or later to mitigate this vulnerability. The most recent patch can be found in the source code commit identified as 5a8b6b6ead12b39e3f32f978a4efd0233facbb01, which aims to enhance security against potential risks.

Affected Version(s)

Exiftool 13.0

Exiftool 13.1

Exiftool 13.2

References

https://vuldb.com/vuln/360421
vdb-entrytechnical-description
https://vuldb.com/vuln/360421/cti
signaturepermissions-required
https://vuldb.com/submit/800049
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ilyass-armadin (VulDB User)
VulDB CNA Team
.