← Retour aux CVEs

CVE-2026-22035

HIGH

7.7

Description

Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311.

Details CVE

Score CVSS v3.17.7

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Vecteur d'attaqueLOCAL

ComplexiteHIGH

Privileges requisNONE

Interaction utilisateurREQUIRED

Publie1/8/2026

Derniere modification1/27/2026

Sourcenvd

Observations honeypot0

Produits affectes

getgreenshot:greenshot

Faiblesses (CWE)

CWE-78

References

https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb(security-advisories@github.com)

https://github.com/greenshot/greenshot/releases/tag/v1.3.311(security-advisories@github.com)

https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj(security-advisories@github.com)

https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.