CVE-2026-22035

Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.0 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb	Patch
https://github.com/greenshot/greenshot/releases/tag/v1.3.311	Release Notes
https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj	Vendor Advisory Exploit
https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj	Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:getgreenshot:greenshot:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-08 01:15

Updated : 2026-01-27 19:11

NVD link : CVE-2026-22035

Mitre link : CVE-2026-22035

CVE.ORG link : CVE-2026-22035

JSON object : View

Products Affected

getgreenshot

greenshot

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-22035", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.3}]}, "published": "2026-01-08T01:15:55.847", "references": [{"url": "https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/greenshot/greenshot/releases/tag/v1.3.311", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}, {"url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj", "tags": ["Vendor Advisory", "Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311."}], "lastModified": "2026-01-27T19:11:58.087", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:getgreenshot:greenshot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "964FCC5B-97DF-4775-B17B-8E1FB673B863", "versionEndExcluding": "1.3.311"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}