CVE-2026-22035
Published: 08 January 2026
Summary
CVE-2026-22035 is a high-severity OS Command Injection (CWE-78) vulnerability in Getgreenshot Greenshot. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-controlled filenames to prevent injection of shell metacharacters into OS commands.
Mandates timely patching of the specific flaw in Greenshot versions 1.3.310 and below, as fixed in 1.3.311.
Limits the scope and impact of arbitrary command execution by enforcing least privilege on the Greenshot process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in filename handling directly enables arbitrary Windows command shell execution (T1059.003) via crafted input to ExternalCommandDestination.
NVD Description
Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers…
more
to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311.
Deeper analysisAI
Greenshot, an open source Windows screenshot utility, is affected by CVE-2026-22035, an OS command injection vulnerability in versions 1.3.310 and below. The issue resides in the FormatArguments method within ExternalCommandDestination.cs at line 269, where string.Format() inserts user-controlled filenames directly into shell commands without sanitization. This allows attackers to inject shell metacharacters via malicious filenames, leading to arbitrary command execution. The vulnerability is classified under CWE-78 with a CVSS v3.1 base score of 7.7 (AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Exploitation requires local access to the system with no privileges (PR:N), but demands high attack complexity (AC:H) and user interaction (UI:R), such as tricking a user into saving a screenshot with a specially crafted filename containing shell metacharacters. Successful exploitation changes scope (S:C) and grants high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), enabling arbitrary OS command execution in the context of the Greenshot process.
The Greenshot security advisory (GHSA-7hvw-q8q5-gpmj) and associated GitHub resources detail the fix in version 1.3.311, available via the release page. The patching commit (5dedd5c9f0a9896fa0af1d4980d875a48bf432cb) addresses the sanitization flaw in filename processing for external command destinations. Security practitioners should urge users to update to 1.3.311 or later.
Details
- CWE(s)