CVE-2026-22035 Overview
CVE-2026-22035 is a command injection vulnerability in Greenshot, an open source Windows screenshot utility. Versions 1.3.310 and below are vulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters.
Critical Impact
Attackers can achieve arbitrary command execution on the target system by exploiting the unsanitized filename processing in Greenshot's external command functionality. A successful attack requires local access and user interaction, but can lead to full system compromise with impacts to confidentiality, integrity, and availability extending beyond the vulnerable component.
Affected Products
- Greenshot versions 1.3.310 and below
- Windows systems running vulnerable Greenshot installations
Discovery Timeline
- 2026-01-08 - CVE-2026-22035 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-22035
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists in Greenshot's external command destination functionality, which allows users to configure external applications to process screenshots.
The vulnerable code path occurs when Greenshot passes filenames to external commands. The FormatArguments method in ExternalCommandDestination.cs directly interpolates user-controlled filename data into command strings using string.Format() without validating or sanitizing the input for shell metacharacters. This allows an attacker who can control the filename of a screenshot to inject arbitrary shell commands.
The local attack vector requires the attacker to either convince a user to save a screenshot with a malicious filename or manipulate filenames through another vector. While user interaction is required, successful exploitation can result in code execution in the context of the user running Greenshot, potentially leading to privilege escalation if combined with other techniques.
Root Cause
The root cause is insufficient input validation in the FormatArguments method. The original implementation directly passed the fullpath parameter to string.Format() without checking for dangerous shell metacharacters such as &, |, ;, $, backticks, parentheses, and other special characters that could break out of the intended command context.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious filename containing shell metacharacters. When Greenshot processes this filename through the external command feature, the metacharacters are interpreted by the shell, allowing command injection. For example, a filename containing ; malicious_command ; or $(malicious_command) patterns could execute arbitrary commands.
The patch introduces validation that blocks filenames containing dangerous characters:
public static string FormatArguments(string arguments, string fullpath)
{
- return string.Format(arguments, fullpath);
+ // Validate filename doesn't contain shell metacharacters
+ char[] dangerousChars = { '&', '|', ';', '$', '`', '(', ')', '<', '>', '\n', '\r', '"', '\'', '\\' };
+
+ if (fullpath.IndexOfAny(dangerousChars) >= 0)
+ {
+ throw new ArgumentException(
+ "Filename contains potentially dangerous characters. " +
+ "For security reasons, filenames with shell metacharacters are not allowed."
+ );
+ }
+
+ // Validate arguments template doesn't use shell interpreters
+ if (arguments.Contains("cmd.exe") || arguments.Contains("powershell"))
+ {
+ LOG.Warn("ExternalCommand configured with shell interpreter - potential security risk");
+ }
+
+ // Additional: Ensure proper quoting
+ string safePath = fullpath.Replace("\"", "\\\"");
+
+ return string.Format(arguments, safePath);
}
Source: GitHub Commit Update
Detection Methods for CVE-2026-22035
Indicators of Compromise
- Screenshot files with unusual filenames containing shell metacharacters (&, |, ;, $, backticks)
- Unexpected child processes spawned from Greenshot.exe
- Command line executions originating from Greenshot containing suspicious command sequences
Detection Strategies
- Monitor process creation events for child processes spawned by Greenshot
- Alert on filenames containing shell metacharacters in screenshot directories
- Use SentinelOne behavioral AI to detect anomalous command execution patterns from trusted applications
- Implement endpoint detection rules for command injection patterns in process arguments
Monitoring Recommendations
- Enable detailed process auditing on endpoints running Greenshot
- Configure SentinelOne to monitor for unusual process chains originating from Greenshot.exe
- Review external command configurations in Greenshot installations across the environment
- Monitor for attempts to create files with shell metacharacters in filenames
How to Mitigate CVE-2026-22035
Immediate Actions Required
- Update Greenshot to version 1.3.311 or later immediately
- Audit external command configurations in Greenshot for potentially dangerous command templates
- Review any custom external command integrations that may pass untrusted data to shell commands
- Consider temporarily disabling the external command feature until patching is complete
Patch Information
The vulnerability has been fixed in Greenshot version 1.3.311. The patch implements input validation that rejects filenames containing dangerous shell metacharacters and adds proper escaping for quoted strings. Users should update immediately via the official release.
For technical details about the fix, refer to:
Workarounds
- Disable or remove external command integrations in Greenshot until patching is possible
- Avoid using filenames from untrusted sources when saving screenshots
- Restrict Greenshot's ability to execute external commands via application control policies
- Use SentinelOne application control to restrict child process execution from Greenshot
# Verify Greenshot version to ensure patch is applied
# Check installed version in Windows
wmic product where "name like '%Greenshot%'" get name,version
# Or check the executable directly
dir "C:\Program Files\Greenshot\Greenshot.exe"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
