OS Command Injection in Greenshot Screenshot Utility
CVE-2026-22035

7.8HIGH

Key Information:

Vendor

Greenshot

Status
Greenshot
Vendor
CVE Published:
8 January 2026

What is CVE-2026-22035?

Greenshot, an open source screenshot utility for Windows, is susceptible to OS Command Injection due to unsanitized filename processing in versions 1.3.310 and earlier. The issue arises when user-controlled filenames are directly inserted into shell commands via the FormatArguments method, enabling attackers to execute arbitrary code by crafting malicious filenames that include shell metacharacters. This vulnerability has been addressed in version 1.3.311, which implements proper sanitization measures.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

greenshot < 1.3.311

References

https://github.com/greenshot/greenshot/security/advisorie...
x_refsource_CONFIRM
https://github.com/greenshot/greenshot/commit/5dedd5c9f0a...
x_refsource_MISC
https://github.com/greenshot/greenshot/releases/tag/v1.3.311
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.