{"id":"CVE-2026-43893","summary":"exiftool-vendored: Argument injection via newline characters in tag names","details":"exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one of those strings could split a single intended argument into multiple ExifTool arguments, allowing argument injection. The fix also rejects NUL bytes as unsafe control characters. Applications that pass attacker-controlled strings to affected APIs may allow an attacker to make ExifTool read files accessible to the ExifTool process, or write output to attacker-chosen file system paths accessible to that process. No remote code execution has been demonstrated. This vulnerability is fixed in 35.19.0.","aliases":["GHSA-cw26-7653-2rp5"],"modified":"2026-07-08T08:11:41.533760284Z","published":"2026-05-11T20:59:14.560Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-88"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43893.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43893.json"},{"type":"ADVISORY","url":"https://github.com/photostructure/exiftool-vendored.js/security/advisories/GHSA-cw26-7653-2rp5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43893"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/photostructure/exiftool-vendored.js","events":[{"introduced":"0"},{"fixed":"6ec9f9f9c47ad2d9e93ac88b53e6d9a064ea7704"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"35.19.0"}]}}],"versions":["35.18.0","35.17.0","35.16.0","35.15.1","35.14.0","35.13.1","35.13.0","35.12.1","35.12.0","35.11.0","35.10.1","35.10.0","35.9.0","35.8.0","35.7.0","35.6.0","35.5.0","35.4.0","35.3.0","35.2.0","35.1.0","35.0.0","34.3.0","34.2.0","34.1.0","34.0.0","33.5.0","33.4.0","33.3.0","33.2.0","33.1.0","33.0.0","32.1.0","32.0.1","31.3.0","31.2.0","31.1.0","31.0.0","30.5.0","30.4.0","30.3.0","30.2.0","30.1.0","30.0.0","v29.3.0","v29.2.0","v29.1.0","v29.0.0","v28.8.0","v28.7.0","v28.6.0","v28.5.0","v28.4.1","v28.4.0","v28.3.1","v28.3.0","v28.2.1","v28.2.0","v28.1.0","v28.0.0","v26.1.0","v26.0.0","v25.2.0","v25.1.0","v25.0.0","v24.6.0","v24.5.0","v24.4.0","v24.3.0","v24.2.0","v24.1.0","v24.0.0","v23.7.0","v23.6.0","v23.5.0","v23.4.0","v23.3.0","v23.2.0","v23.1.0","v23.0.0","v22.2.3","v22.2.2","v22.2.1","v22.2.0","v22.1.0","v22.0.0","v21.5.1","v21.5.0","v21.4.0","v21.3.0","v21.2.0","v21.1.0","v21.0.0","v20.0.0","v19.0.0","v18.6.0","v18.5.0","v18.4.2","v18.4.1","v18.4.0","v18.3.0","v18.2.0","v18.1.0","v18.0.0","v17.1.0","v17.0.1","v17.0.0","v16.5.1","v16.4.0","v16.3.0","v16.2.0","v16.1.0","v16.0.0","v15.12.1","v15.12.0","v15.11.0","v15.10.1","v15.10.0","v15.9.2","v15.9.1","v15.9.0","v15.8.0","v15.7.0","v15.6.0","v15.5.0","v15.4.0","v15.3.0","v15.2.0","v15.1.0","v15.0.0","v14.6.2","v14.6.1","v14.6.0","v14.5.0","v14.4.0","v14.3.0","v14.2.0","v14.1.1","v14.1.0","v14.0.0","v13.2.0","v13.1.0","v13.0.0","v12.3.1","v12.3.0","v12.2.0","v12.1.0","v12.0.0","v11.5.0","v11.4.0","v11.3.0","v11.2.0","v11.1.0","v11.0.0","v10.1.0","v10.0.0","v9.7.0","v9.6.0","v9.5.0","v9.4.0","v9.3.1","v9.3.0","v9.2.0","v9.1.0","v9.0.0","v9.0.0-alpha.2","v9.0.0-alpha.1","v8.22.0","v8.21.1","v8.21.0","v8.20.0","v8.19.0","v8.18.0","v8.17.0","v8.16.0","v8.15.0","v8.14.0","v8.13.1","v8.13.0","v8.12.0","v8.11.0","v8.10.1","v8.10.0","v8.9.0","v8.8.0","v8.7.1","v8.6.1","v8.6.0","v8.5.1","v8.5.0","v8.4.0","v8.3.0","v8.2.0","v8.1.0","v8.0.0","v7.6.1","v7.6.0","v7.5.0","v7.4.0","v7.3.0","v7.2.1","v7.2.0","v7.1.0","v7.0.1","v7.0.0","v6.3.0","v6.2.3","v6.2.2","v6.2.1","v6.2.0","v6.1.2","v6.1.1","v6.1.0","v6.0.1","v6.0.0","v5.5.0","v5.4.0","v5.3.0","v5.2.0","v5.1.0","v5.0.0","v4.26.0","v4.25.0","v4.24.0","v4.23.0","v4.22.1","v4.22.0","v4.21.0","v4.20.0","v4.18.1","v4.18.0","v4.17.0","v4.16.0","v4.15.0","v4.14.1","v4.14.0","v4.14.0-1","v4.14.0-0","v4.13.1","v4.13.0","v4.12.1","v4.12.0","v4.10.0","v4.9.2","v4.9.1","v4.8.0","v4.7.1","v4.7.0","v4.6.0","v4.4.1","v4.5.0","v4.1.0","v4.0.0-alpha.0","v3.2.0","v3.1.1","v3.1.0","v2.17.0","v2.16.1","v2.16.0","v2.15.0","v2.14.0","v2.13.0","v2.12.0","v2.10.0","v2.9.0","v2.8.0","v2.7.0","v2.4.0","v2.3.0","v2.2.0","v2.1.1","v2.1.0","v2.0.1","v2.0.0","v1.5.3","v1.5.2","v1.5.1","v1.5.0","v1.4.0","v1.3.0","v1.2.0","v1.0.0","v0.4.0","v0.3.1","v0.3.0","v0.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43893.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"}]}