{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22035", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T22:30:38.719Z", "datePublished": "2026-01-08T00:10:28.278Z", "dateUpdated": "2026-02-26T15:04:55.208Z"}, "containers": {"cna": {"title": "Greenshot Vulnerable to OS Command Injection via ExternalCommand Plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj"}, {"name": "https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb", "tags": ["x_refsource_MISC"], "url": "https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb"}, {"name": "https://github.com/greenshot/greenshot/releases/tag/v1.3.311", "tags": ["x_refsource_MISC"], "url": "https://github.com/greenshot/greenshot/releases/tag/v1.3.311"}], "affected": [{"vendor": "greenshot", "product": "greenshot", "versions": [{"version": "< 1.3.311", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T00:10:28.278Z"}, "descriptions": [{"lang": "en", "value": "Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311."}], "source": {"advisory": "GHSA-7hvw-q8q5-gpmj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22035", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-09T04:55:31.712966Z"}}}], "references": [{"url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj", "tags": ["exploit"]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:55.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22035", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-08T19:07:55.259436Z"}}}], "references": [{"url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T19:07:47.253Z"}}], "cna": {"title": "Greenshot Vulnerable to OS Command Injection via ExternalCommand Plugin", "source": {"advisory": "GHSA-7hvw-q8q5-gpmj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "greenshot", "product": "greenshot", "versions": [{"status": "affected", "version": "< 1.3.311"}]}], "references": [{"url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj", "name": "https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb", "name": "https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/greenshot/greenshot/releases/tag/v1.3.311", "name": "https://github.com/greenshot/greenshot/releases/tag/v1.3.311", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T00:10:28.278Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22035", "state": "PUBLISHED", "dateUpdated": "2026-01-09T04:55:30.975Z", "dateReserved": "2026-01-05T22:30:38.719Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T00:10:28.278Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getgreenshot:greenshot:*:*:*:*:*:*:*:*", "matchCriteriaId": "964FCC5B-97DF-4775-B17B-8E1FB673B863", "versionEndExcluding": "1.3.311", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311."}], "id": "CVE-2026-22035", "lastModified": "2026-01-27T19:11:58.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-08T01:15:55.847", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/greenshot/greenshot/releases/tag/v1.3.311"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:50:28.030736+00:00", "value": {"mitigation_remediation": ["Upgrade Greenshot to version 1.3.311 or later, which removes the vulnerable code.", "Disable or uninstall the ExternalCommand plugin until the official fix is applied.", "Audit existing screenshot files for maliciously crafted names and delete any that match the pattern of injected command characters.", "Restrict who can place or modify screenshot files in directories accessed by Greenshot, limiting the exposure of untrusted file names."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects Greenshot versions 1.3.310 and all earlier releases. Users running these versions on Windows should be aware that unsanitized filenames processed by the ExternalCommand plugin can be used to inject commands.", "description_and_impact": "Greenshot, an open\u2011source Windows screenshot utility, contains an OS Command Injection flaw in the ExternalCommand plugin. The FormatArguments method concatenates user-controlled filenames directly into shell commands without sanitization. A crafted filename with shell metacharacters can cause Greenshot to execute arbitrary commands, enabling an attacker to gain local command execution on any system where the vulnerable version runs. The vulnerability maps to CWE\u201178 and can compromise both the confidentiality and integrity of the affected system.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity level, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. Greenshot is not listed in the CISA Known Exploited Vulnerabilities catalog. The vulnerability can be exploited via local delivery of a malicious file name or by an attacker who can place a specially crafted file in a location that Greenshot processes. Because the flaw requires local execution of Greenshot, the attack vector is most likely local and requires that the user runs the application or that an attacker can influence the file name used during capture."}}}}, "created": "2026-01-08T09:47:39.997746+00:00", "updated": "2026-04-18T08:00:05.787614+00:00", "vendors": ["greenshot", "greenshot$PRODUCT$greenshot", "microsoft", "microsoft$PRODUCT$windows"]}