CVE-2026-43893

PhotoStructure · exiftool-vendored.js

The exiftool-vendored.js package is vulnerable to argument injection, allowing unauthenticated attackers to manipulate command-line arguments via improper neutralization of delimiters.

Executive summary

An argument injection vulnerability in PhotoStructure exiftool-vendored.js poses a significant risk of unauthorized command execution by unauthenticated remote attackers.

Vulnerability

This is an argument injection vulnerability (CWE-88) occurring because the application fails to properly neutralize argument delimiters when interacting with the underlying command-line interface. The attack vector is network-based and requires no authentication or user interaction.

Business impact

The CVSS score of 8.2 (High) reflects the potential for an attacker to manipulate command execution, which could lead to unauthorized system modification or integrity loss. While the vulnerability does not directly provide remote code execution (RCE) in a shell sense, the ability to inject arguments into the ExifTool process could allow an attacker to read or overwrite sensitive files, severely impacting system confidentiality and integrity.

Remediation

Immediate Action: Update the exiftool-vendored npm package to version 35.19.0 or later to ensure proper sanitization of command arguments.

Proactive Monitoring: Monitor server logs for unusual command-line execution patterns or unexpected arguments passed to the ExifTool process.

Compensating Controls: Implement strict input validation on any user-supplied data that is subsequently passed to the exiftool-vendored library.

Exploitation status

Public Exploit Available: Yes — a public proof-of-concept exists on GitHub (https://github.com/Dobby153/CVE-2026-43893).

Analyst recommendation

Given the availability of a public proof-of-concept and the ease of exploitation, this vulnerability should be prioritized for immediate remediation. Organizations utilizing exiftool-vendored.js must update to version 35.19.0 immediately to eliminate the injection vector.