Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was detected in Exiftool up to 13.53. Impacted is the function Process_mrld of the file lib/Image/ExifTool/GM.pm of the component JPEG/QuickTime/MOV/MP4. The manipulation of the argument -ee results in code injection. Attacking locally is a requirement. Upgrading to version 13.54 is recommended to address this issue. The patch is identified as 5a8b6b6ead12b39e3f32f978a4efd0233facbb01. It is suggested to upgrade the affected component. The fix in the source code mentions: "[J]ust to be safe, probably never happen".
AnalysisAI
Code injection in ExifTool versions up to 13.53 allows local attackers with limited privileges to execute arbitrary code via manipulation of the -ee argument in the Process_mrld function when processing JPEG/QuickTime/MOV/MP4 files. The vulnerability has a very low CVSS score of 1.9 due to local-only attack vector and low impact, but is tagged as RCE. Vendor-released patch available in version 13.54.
Technical ContextAI
ExifTool is a Perl-based metadata extraction and manipulation library commonly used to read and write EXIF data in image and video files. The vulnerability exists in lib/Image/ExifTool/GM.pm, specifically in the Process_mrld function which handles metadata processing for JPEG, QuickTime, MOV, and MP4 files. The root cause is CWE-94 (Improper Control of Generation of Code, a code injection vulnerability), where the -ee (extract embedded) command-line argument is not properly sanitized before being used in code evaluation or execution context. The fix commit comment states '[J]ust to be safe, probably never happen,' indicating the developers recognized the theoretical injection point and added defensive filtering.
RemediationAI
Vendor-released patch: Upgrade to ExifTool version 13.54 or later. The patch modifies argument parsing logic in the exiftool command-line interface to properly handle the -api, -charset, and -lang options by deferring their processing to prevent injection, and adds a space character to the allowed character set in SetWindowTitle function. For organizations unable to immediately upgrade, restrict local system access to trusted users only, disable or remove ExifTool from systems where it is not actively required, or implement execution through a sandboxed process with minimal privileges. If ExifTool is exposed through a web interface or automation service, ensure it runs in a container or chroot with no shell access. Note that workarounds are limited since the vulnerability requires local execution; the primary risk mitigation is prompt patching. See https://github.com/exiftool/exiftool/releases/tag/13.54 for upgrade instructions.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26500