Cyber Resilience

CVE-2026-22035

HighPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0004 11.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22035 is a high-severity OS Command Injection (CWE-78) vulnerability in Getgreenshot Greenshot. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Greenshot, an open source Windows screenshot utility, is affected by CVE-2026-22035, an OS command injection vulnerability in versions 1.3.310 and below. The issue resides in the FormatArguments method within ExternalCommandDestination.cs at line 269, where string.Format() inserts user-controlled filenames directly into shell commands without sanitization. This allows attackers to inject shell metacharacters via malicious filenames, leading to arbitrary command execution. The vulnerability is classified under CWE-78 with a CVSS v3.1 base score of 7.7 (AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Exploitation requires local access to the system with no privileges (PR:N), but demands high attack complexity (AC:H) and user interaction (UI:R), such as tricking a user into saving a screenshot with a specially crafted filename containing shell metacharacters. Successful exploitation changes scope (S:C) and grants high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), enabling arbitrary OS command execution in the context of the Greenshot process.

The Greenshot security advisory (GHSA-7hvw-q8q5-gpmj) and associated GitHub resources detail the fix in version 1.3.311, available via the release page. The patching commit (5dedd5c9f0a9896fa0af1d4980d875a48bf432cb) addresses the sanitization flaw in filename processing for external command destinations. Security practitioners should urge users to update to 1.3.311 or later.

EU & UK References

Vulnerability details

Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers…

more

to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

OS command injection in filename handling directly enables arbitrary Windows command shell execution (T1059.003) via crafted input to ExternalCommandDestination.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59050Same product: Getgreenshot Greenshot
CVE-2026-32000Shared CWE-78
CVE-2026-28391Shared CWE-78
CVE-2026-30302Shared CWE-78
CVE-2025-11953Shared CWE-78
CVE-2026-7461Shared CWE-78
CVE-2026-31999Shared CWE-78
CVE-2025-63916Shared CWE-78
CVE-2025-54072Shared CWE-78
CVE-2026-22176Shared CWE-78

Affected Assets

getgreenshot
greenshot
≤ 1.3.311

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user-controlled filenames to prevent injection of shell metacharacters into OS commands.

prevent

Mandates timely patching of the specific flaw in Greenshot versions 1.3.310 and below, as fixed in 1.3.311.

prevent

Limits the scope and impact of arbitrary command execution by enforcing least privilege on the Greenshot process.

References