{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25792", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T19:58:01.639Z", "datePublished": "2026-03-20T10:04:34.752Z", "dateUpdated": "2026-03-24T03:55:58.579Z"}, "containers": {"cna": {"title": "Greenshot Vulnerable to OS Command Injection via ExternalCommand Plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "lang": "en", "description": "CWE-426: Untrusted Search Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/greenshot/greenshot/security/advisories/GHSA-f8v9-7fph-fr2j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-f8v9-7fph-fr2j"}], "affected": [{"vendor": "greenshot", "product": "greenshot", "versions": [{"version": "<= 1.3.312", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:04:44.475Z"}, "descriptions": [{"lang": "en", "value": "Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application\u2019s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication."}], "source": {"advisory": "GHSA-f8v9-7fph-fr2j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-25792"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T03:55:58.579Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25792", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T15:59:17.865023Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:59:23.580Z"}}], "cna": {"title": "Greenshot Vulnerable to OS Command Injection via ExternalCommand Plugin", "source": {"advisory": "GHSA-f8v9-7fph-fr2j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "greenshot", "product": "greenshot", "versions": [{"status": "affected", "version": "<= 1.3.312"}]}], "references": [{"url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-f8v9-7fph-fr2j", "name": "https://github.com/greenshot/greenshot/security/advisories/GHSA-f8v9-7fph-fr2j", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application\u2019s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:04:44.475Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25792", "state": "PUBLISHED", "dateUpdated": "2026-03-24T03:55:58.579Z", "dateReserved": "2026-02-05T19:58:01.639Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T10:04:34.752Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getgreenshot:greenshot:*:*:*:*:*:*:*:*", "matchCriteriaId": "B340B100-847F-4824-9932-4C01557EFC42", "versionEndIncluding": "1.3.312", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application\u2019s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication."}, {"lang": "es", "value": "Greenshot es una utilidad de captura de pantalla de c\u00f3digo abierto para Windows. Las versiones 1.3.312 e inferiores tienen una vulnerabilidad de ruta de b\u00fasqueda de ejecutables no confiable / secuestro de binarios que permite a un atacante local ejecutar c\u00f3digo arbitrario cuando la aplicaci\u00f3n de Windows afectada inicia explorer.exe sin usar una ruta absoluta. El comportamiento vulnerable se activa cuando el usuario hace doble clic en el icono de la bandeja de la aplicaci\u00f3n, lo que abre el directorio que contiene la captura de pantalla m\u00e1s reciente capturada por la aplicaci\u00f3n. Al colocar un ejecutable malicioso con el mismo nombre en una ubicaci\u00f3n buscada antes que el binario leg\u00edtimo de Windows, un atacante puede obtener la ejecuci\u00f3n de c\u00f3digo en el contexto de la aplicaci\u00f3n. Este problema no ten\u00eda un parche en el momento de la publicaci\u00f3n."}], "id": "CVE-2026-25792", "lastModified": "2026-03-23T15:51:14.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T11:18:01.753", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-f8v9-7fph-fr2j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.312]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "greenshot", "source": "cna", "vendor": "greenshot"}, "product": "greenshot", "vendor": "greenshot"}], "analysis": {"en": {"generated_at": "2026-03-23T18:05:32.117957+00:00", "value": {"mitigation_remediation": ["Verify the Greenshot version installed; if version 1.3.312 or lower, check the vendor\u2019s website for an update or plan to upgrade when an official fix becomes available.", "Avoid leaving files with names matching legitimate system binaries in directories that the application searches prior to explorer.exe; keep such directories clean.", "If an update is not immediately possible and the ExternalCommand plugin is not required, disable or uninstall the plugin to reduce the attack surface."], "summary": {"action": "Check Version", "impact": "Local Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Greenshot for Windows. Versions 1.3.312 and earlier are vulnerable; no patch was available at publication time, and later releases beyond 1.3.312 are not affected.", "description_and_impact": "Greenshot, an open\u2011source Windows screenshot utility, contains a flaw where the application launches explorer.exe without an absolute path. The program accepts a user\u2011supplied executable name and searches the path hierarchy, allowing a local attacker to place a malicious file with the same name as a legitimate Windows binary in a directory that is searched before explorer.exe. When the user double\u2011clicks the tray icon, Greenshot opens the folder containing the most recent screenshot, triggering the vulnerable behavior and giving the attacker code execution in the context of the Greenshot process.", "risk_and_exploitability": "The CVSS score of 6.5 reflects moderate severity. EPSS is below 1%, indicating a low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker must have local access to the machine and be able to place a malicious executable in a directory that appears before explorer.exe in the search order. Successful exploitation results in code execution within the Greenshot application\u2019s user context; no escalation to higher privileges is described in the available data."}}}}, "created": "2026-03-20T14:13:48.307208+00:00", "updated": "2026-03-25T14:29:36.808429+00:00", "vendors": ["greenshot", "greenshot$PRODUCT$greenshot"]}