Executive Summary

CVE-2026-22035 is an OS Command Injection vulnerability in the Greenshot screenshot utility, specifically in its ExternalCommand plugin. The vulnerability occurs because the application uses the FormatArguments method to insert user-controlled filenames directly into shell commands without sanitization. Attackers can craft malicious filenames containing shell metacharacters (like &) that get executed as arbitrary OS commands when processed by Greenshot. This allows local attackers to execute arbitrary commands with the user's privileges by exploiting unsanitized filename insertion into shell commands. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary command execution on the affected system with the privileges of the user running Greenshot. An attacker can craft malicious filenames or configuration commands that cause the system to execute unintended commands, potentially leading to compromise of the user's environment, execution of malicious software, or other harmful actions. The impact is high severity, allowing local attackers to run arbitrary OS commands via the ExternalCommand plugin. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection can be performed by checking for the presence of vulnerable Greenshot versions (1.3.310 and below) and monitoring for execution of unexpected commands triggered by malicious filenames or configurations. Specifically, you can look for suspicious filenames containing shell metacharacters such as &, |, ;, $, `, (, ), <, >, newlines, and quotes in the directories where Greenshot saves screenshots. Additionally, monitoring process creation logs for unexpected commands like calc.exe or other injected commands launched alongside Greenshot's normal operations can indicate exploitation attempts. There are no explicit detection commands provided, but you can use PowerShell or command line to list files with suspicious characters, for example: `dir /b | findstr /r "[&|;$`()<>\"']"` to find files with dangerous characters in their names. Also, reviewing Greenshot configuration files (`greenshot-fixed.ini`) for suspicious external command definitions containing shell metacharacters can help detect configuration-based injection attempts. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Greenshot to version 1.3.311 or later, where the vulnerability is fixed. If upgrading is not immediately possible, administrators should sanitize and validate filenames to reject or escape shell metacharacters before processing. Avoid configuring the ExternalCommand plugin to use shell interpreters like cmd.exe or powershell with user-controlled inputs. Use persistent configuration via `greenshot-fixed.ini` to enforce safe settings and prevent loss on exit. Additionally, review and remove any external command definitions that include shell metacharacters and monitor for suspicious file names. Applying the official patch or update is the most effective mitigation. [1, 2, 3]

Useful 0 Not Useful 0