CVE-2026-25792
Received Received - Intake
Binary Hijacking in Greenshot Allows Local Code Execution

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application’s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25792
EUVD
EUVD-2026-13661
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getgreenshot greenshot to 1.3.312 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25792 is a vulnerability in the Greenshot Windows screenshot utility (versions 1.3.312 and below) where the application launches the Windows explorer.exe process without specifying its absolute path. This allows an attacker with local access and high privileges to place a malicious executable named explorer.exe in a location that is searched before the legitimate Windows binary. When the user double-clicks the Greenshot tray icon to open the folder containing the most recent screenshot, the application may execute the malicious executable instead of the legitimate one, leading to arbitrary code execution.

This vulnerability is a type of binary hijacking or untrusted executable search path issue (CWE-426). It requires user interaction (double-clicking the tray icon) and can be difficult to detect because the malicious executable can forward execution to the legitimate explorer.exe, maintaining normal application behavior.

Impact Analysis

The vulnerability allows a local attacker with high privileges to execute arbitrary code within the context of the Greenshot application. This can lead to privilege escalation if the application runs with elevated privileges.

Because the attacker can run malicious code disguised as a legitimate system process, they may gain unauthorized access to sensitive data, modify or delete files, or disrupt system availability.

The attack requires user interaction but can abuse a trusted user interface feature, making it a significant security risk.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the GreenShot application launches explorer.exe without using an absolute path, which allows binary hijacking. Detection involves verifying whether a malicious executable named explorer.exe exists in directories that are searched before the legitimate Windows system directory.

You can search for suspicious explorer.exe files in user-writable or application-controlled directories that precede the system directory in the executable search path.

  • Use commands to locate explorer.exe files outside the legitimate Windows system folder, for example on Windows PowerShell:
  • Get-ChildItem -Path C:\Users\*\AppData\Local\* -Filter explorer.exe -Recurse
  • Search common directories in the PATH environment variable for unexpected explorer.exe files.
  • Check the GreenShot process or logs to see if it launches explorer.exe without an absolute path.
Mitigation Strategies

Immediate mitigation involves ensuring that the GreenShot application launches system executables using fully qualified absolute paths to prevent binary hijacking.

Since no patch was available at the time of publication, you should restrict write permissions on directories that are searched before the system directory to prevent placing malicious executables.

Avoid running GreenShot with elevated privileges to reduce the impact of potential code execution.

Educate users to be cautious when double-clicking the GreenShot tray icon, as this triggers the vulnerable behavior.

Monitor for suspicious explorer.exe executions originating from non-standard locations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart