CVE-2026-22035
OS Command Injection in Greenshot Filename Processing Allows RCE
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| greenshot | greenshot | to 1.3.311 (exc) |
| greenshot | greenshot | 1.3.311 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22035 is an OS Command Injection vulnerability in the Greenshot screenshot utility, specifically in its ExternalCommand plugin. The vulnerability occurs because the application uses the FormatArguments method to insert user-controlled filenames directly into shell commands without sanitization. Attackers can craft malicious filenames containing shell metacharacters (like &) that get executed as arbitrary OS commands when processed by Greenshot. This allows local attackers to execute arbitrary commands with the user's privileges by exploiting unsanitized filename insertion into shell commands. [1]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary command execution on the affected system with the privileges of the user running Greenshot. An attacker can craft malicious filenames or configuration commands that cause the system to execute unintended commands, potentially leading to compromise of the user's environment, execution of malicious software, or other harmful actions. The impact is high severity, allowing local attackers to run arbitrary OS commands via the ExternalCommand plugin. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by checking for the presence of vulnerable Greenshot versions (1.3.310 and below) and monitoring for execution of unexpected commands triggered by malicious filenames or configurations. Specifically, you can look for suspicious filenames containing shell metacharacters such as &, |, ;, $, `, (, ), <, >, newlines, and quotes in the directories where Greenshot saves screenshots. Additionally, monitoring process creation logs for unexpected commands like calc.exe or other injected commands launched alongside Greenshot's normal operations can indicate exploitation attempts. There are no explicit detection commands provided, but you can use PowerShell or command line to list files with suspicious characters, for example: `dir /b | findstr /r "[&|;$`()<>\"']"` to find files with dangerous characters in their names. Also, reviewing Greenshot configuration files (`greenshot-fixed.ini`) for suspicious external command definitions containing shell metacharacters can help detect configuration-based injection attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Greenshot to version 1.3.311 or later, where the vulnerability is fixed. If upgrading is not immediately possible, administrators should sanitize and validate filenames to reject or escape shell metacharacters before processing. Avoid configuring the ExternalCommand plugin to use shell interpreters like cmd.exe or powershell with user-controlled inputs. Use persistent configuration via `greenshot-fixed.ini` to enforce safe settings and prevent loss on exit. Additionally, review and remove any external command definitions that include shell metacharacters and monitor for suspicious file names. Applying the official patch or update is the most effective mitigation. [1, 2, 3]