CVE-2026-43893

Source
https://cve.org/CVERecord?id=CVE-2026-43893
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43893.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43893
Aliases
Published
2026-05-11T20:59:14.560Z
Modified
2026-07-08T08:11:41.533760284Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
exiftool-vendored: Argument injection via newline characters in tag names
Details

exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters. Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated. This vulnerability is fixed in 35.19.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43893.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-88"
    ]
}
References

Affected packages

Git / github.com/photostructure/exiftool-vendored.js

Affected ranges

Type
GIT
Repo
https://github.com/photostructure/exiftool-vendored.js
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "35.19.0"
        }
    ]
}

Affected versions

30.*
30.0.0
30.1.0
30.2.0
30.3.0
30.4.0
30.5.0
31.*
31.0.0
31.1.0
31.2.0
31.3.0
32.*
32.0.1
32.1.0
33.*
33.0.0
33.1.0
33.2.0
33.3.0
33.4.0
33.5.0
34.*
34.0.0
34.1.0
34.2.0
34.3.0
35.*
35.0.0
35.1.0
35.10.0
35.10.1
35.11.0
35.12.0
35.12.1
35.13.0
35.13.1
35.14.0
35.15.1
35.16.0
35.17.0
35.18.0
35.2.0
35.3.0
35.4.0
35.5.0
35.6.0
35.7.0
35.8.0
35.9.0
v0.*
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v1.*
v1.0.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v10.*
v10.0.0
v10.1.0
v11.*
v11.0.0
v11.1.0
v11.2.0
v11.3.0
v11.4.0
v11.5.0
v12.*
v12.0.0
v12.1.0
v12.2.0
v12.3.0
v12.3.1
v13.*
v13.0.0
v13.1.0
v13.2.0
v14.*
v14.0.0
v14.1.0
v14.1.1
v14.2.0
v14.3.0
v14.4.0
v14.5.0
v14.6.0
v14.6.1
v14.6.2
v15.*
v15.0.0
v15.1.0
v15.10.0
v15.10.1
v15.11.0
v15.12.0
v15.12.1
v15.2.0
v15.3.0
v15.4.0
v15.5.0
v15.6.0
v15.7.0
v15.8.0
v15.9.0
v15.9.1
v15.9.2
v16.*
v16.0.0
v16.1.0
v16.2.0
v16.3.0
v16.4.0
v16.5.1
v17.*
v17.0.0
v17.0.1
v17.1.0
v18.*
v18.0.0
v18.1.0
v18.2.0
v18.3.0
v18.4.0
v18.4.1
v18.4.2
v18.5.0
v18.6.0
v19.*
v19.0.0
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.1.1
v2.10.0
v2.12.0
v2.13.0
v2.14.0
v2.15.0
v2.16.0
v2.16.1
v2.17.0
v2.2.0
v2.3.0
v2.4.0
v2.7.0
v2.8.0
v2.9.0
v20.*
v20.0.0
v21.*
v21.0.0
v21.1.0
v21.2.0
v21.3.0
v21.4.0
v21.5.0
v21.5.1
v22.*
v22.0.0
v22.1.0
v22.2.0
v22.2.1
v22.2.2
v22.2.3
v23.*
v23.0.0
v23.1.0
v23.2.0
v23.3.0
v23.4.0
v23.5.0
v23.6.0
v23.7.0
v24.*
v24.0.0
v24.1.0
v24.2.0
v24.3.0
v24.4.0
v24.5.0
v24.6.0
v25.*
v25.0.0
v25.1.0
v25.2.0
v26.*
v26.0.0
v26.1.0
v28.*
v28.0.0
v28.1.0
v28.2.0
v28.2.1
v28.3.0
v28.3.1
v28.4.0
v28.4.1
v28.5.0
v28.6.0
v28.7.0
v28.8.0
v29.*
v29.0.0
v29.1.0
v29.2.0
v29.3.0
v3.*
v3.1.0
v3.1.1
v3.2.0
v4.*
v4.0.0-alpha.0
v4.1.0
v4.10.0
v4.12.0
v4.12.1
v4.13.0
v4.13.1
v4.14.0
v4.14.0-0
v4.14.0-1
v4.14.1
v4.15.0
v4.16.0
v4.17.0
v4.18.0
v4.18.1
v4.20.0
v4.21.0
v4.22.0
v4.22.1
v4.23.0
v4.24.0
v4.25.0
v4.26.0
v4.4.1
v4.5.0
v4.6.0
v4.7.0
v4.7.1
v4.8.0
v4.9.1
v4.9.2
v5.*
v5.0.0
v5.1.0
v5.2.0
v5.3.0
v5.4.0
v5.5.0
v6.*
v6.0.0
v6.0.1
v6.1.0
v6.1.1
v6.1.2
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.3.0
v7.*
v7.0.0
v7.0.1
v7.1.0
v7.2.0
v7.2.1
v7.3.0
v7.4.0
v7.5.0
v7.6.0
v7.6.1
v8.*
v8.0.0
v8.1.0
v8.10.0
v8.10.1
v8.11.0
v8.12.0
v8.13.0
v8.13.1
v8.14.0
v8.15.0
v8.16.0
v8.17.0
v8.18.0
v8.19.0
v8.2.0
v8.20.0
v8.21.0
v8.21.1
v8.22.0
v8.3.0
v8.4.0
v8.5.0
v8.5.1
v8.6.0
v8.6.1
v8.7.1
v8.8.0
v8.9.0
v9.*
v9.0.0
v9.0.0-alpha.1
v9.0.0-alpha.2
v9.1.0
v9.2.0
v9.3.0
v9.3.1
v9.4.0
v9.5.0
v9.6.0
v9.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43893.json"