Arbitrary Argument Injection Affecting exiftool-vendored package, versions <35.19.0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-EXIFTOOLVENDORED-16636352
- published11 May 2026
- disclosed5 May 2026
- creditDobby153
Introduced: 5 May 2026
NewCVE-2026-43893 (opens in a new tab)How to fix?
Upgrade exiftool-vendored to version 35.19.0 or higher.
Overview
exiftool-vendored is an Efficient, cross-platform access to ExifTool
Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized input in tag names, filenames, or options passed to the ExifTool process. An attacker can manipulate file access or write output to arbitrary file system paths by injecting newline or carriage return characters into these arguments, causing unintended command arguments to be processed.
Workaround
This vulnerability can be mitigated by rejecting untrusted strings containing control characters before passing them to the affected APIs, such as using a guard function to validate input.