CVE-2026-43893: ExifTool Argument Injection Threatens File Operations

/HIGH /CVSS 8.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-88
CVE-2026-43893: ExifTool Argument Injection Threatens File Operations

The National Vulnerability Database has detailed CVE-2026-43893, an argument injection vulnerability affecting exiftool-vendored versions prior to 35.19.0. This Node.js wrapper for ExifTool, which operates in a ‘stay_open’ mode, is susceptible to attacker-controlled strings containing line delimiters. These delimiters can split a single intended argument into multiple ExifTool commands.

This flaw, classified with a CVSS score of 8.2 (HIGH), enables attackers to manipulate ExifTool to read arbitrary files accessible to the ExifTool process or write output to attacker-chosen file system paths. While remote code execution has not been demonstrated, the ability to read and write files under the process’s context is a significant vector for further compromise, data exfiltration, or system disruption. The fix addresses this by rejecting line delimiters and NUL bytes in caller-supplied strings.

Organizations leveraging exiftool-vendored in applications that process untrusted input are directly exposed. Attackers can craft malicious input to exploit this vulnerability, potentially gaining unauthorized access to sensitive data or altering system configurations. The implications for data integrity and confidentiality are substantial, demanding immediate patching.

What This Means For You

  • If your applications utilize `exiftool-vendored` and handle attacker-controlled strings, you need to patch to version 35.19.0 or later immediately. Audit any systems that process untrusted image metadata or similar file inputs for suspicious ExifTool activity. This isn't just about metadata; it's about an attacker's ability to arbitrarily read and write files on your system. Don't wait for a demonstrated RCE; this is a critical foothold.

Related ATT&CK Techniques

T1204.002 Malicious File Execution T1082 System Information Discovery Discovery T1552.001 Credentials In Files Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1204.002 Execution

CVE-2026-43893: ExifTool Argument Injection via Newline Characters

Sigma YAML — free preview 
title: CVE-2026-43893: ExifTool Argument Injection via Newline Characters
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
  Detects the exploitation of CVE-2026-43893 in exiftool-vendored. This rule specifically looks for the exiftool.js process being invoked with command lines containing newline or carriage return characters, which are used to inject arguments into ExifTool, potentially leading to unauthorized file reads or writes.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-43893/
tags:
  - attack.execution
  - attack.t1204.002
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'exiftool.js'
      CommandLine|contains:
          - '
  '
          - '\r'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-43893 Argument Injection exiftool-vendored < 35.19.0
CVE-2026-43893 Information Disclosure ExifTool process reading attacker-chosen files via argument injection
CVE-2026-43893 Path Traversal ExifTool process writing to attacker-chosen file system paths via argument injection

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 01:22 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8345 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection

CVE-2026-8345 — A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 5 Sigma

Vaultwarden CVE-2026-43914: Brute-Force Bypass via 2FA Email

CVE-2026-43914 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login...

vulnerabilityCVEhigh-severitycwe-307
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

Vaultwarden CVE-2026-43913: Unconfirmed Owners Can Purge Vaults

CVE-2026-43913 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault....

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma