CVE-2026-22035 Overview
CVE-2026-22035 is an OS Command Injection vulnerability [CWE-78] affecting Greenshot, an open source Windows screenshot utility. Versions 1.3.310 and below contain a flaw in the FormatArguments method located at ExternalCommandDestination.cs:269. The method uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization. Attackers can execute arbitrary commands by crafting malicious filenames containing shell metacharacters. The issue is fixed in version 1.3.311.
Critical Impact
Local attackers with low privileges can achieve arbitrary command execution on the host by supplying filenames with shell metacharacters, resulting in high impact to confidentiality, integrity, and availability.
Affected Products
- Greenshot versions 1.3.310 and earlier
- Greenshot ExternalCommand plugin (Greenshot.Plugin.ExternalCommand)
- Windows installations of Greenshot using external command destinations
Discovery Timeline
- 2026-01-08 - CVE-2026-22035 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2026-22035
Vulnerability Analysis
The vulnerability resides in Greenshot's ExternalCommand plugin, which allows users to pipe captured screenshots to external programs. The FormatArguments(string arguments, string fullpath) method constructs the command-line arguments for the external process. Before the patch, the method invoked string.Format(arguments, fullpath) directly, embedding the file path into a string that is later passed to the shell. Because the file path is user-controlled, an attacker who can influence the filename, for example by tricking a user into saving a screenshot with a crafted name, can inject shell metacharacters such as &, |, ;, $, or backticks. These characters terminate the intended command and append attacker-controlled commands that execute under the user's context.
Root Cause
The root cause is missing input validation on filenames before they are interpolated into a shell command string. The original implementation trusted the fullpath argument and performed no escaping or rejection of dangerous characters, violating safe command construction practices.
Attack Vector
Exploitation requires local access and user interaction. An attacker crafts a filename containing shell metacharacters and induces the victim to process it through Greenshot's external command destination. When the external command is invoked, the injected payload executes alongside the legitimate command.
// Patch diff: src/Greenshot.Plugin.ExternalCommand/ExternalCommandDestination.cs
public static string FormatArguments(string arguments, string fullpath)
{
- return string.Format(arguments, fullpath);
+ // Validate filename doesn't contain shell metacharacters
+ char[] dangerousChars = { '&', '|', ';', '$', '`', '(', ')', '<', '>', '\n', '\r', '"', '\'', '\\' };
+
+ if (fullpath.IndexOfAny(dangerousChars) >= 0)
+ {
+ throw new ArgumentException(
+ "Filename contains potentially dangerous characters. " +
+ "For security reasons, filenames with shell metacharacters are not allowed."
+ );
+ }
+
+ // Validate arguments template doesn't use shell interpreters
+ if (arguments.Contains("cmd.exe") || arguments.Contains("powershell"))
+ {
+ LOG.Warn("ExternalCommand configured with shell interpreter - potential security risk");
+ }
+
+ // Additional: Ensure proper quoting
+ string safePath = fullpath.Replace("\"", "\\\"");
+
+ return string.Format(arguments, safePath);
}
// Source: https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb
Detection Methods for CVE-2026-22035
Indicators of Compromise
- Screenshot files saved with names containing shell metacharacters such as &, |, ;, $, or backticks.
- Child processes spawned by Greenshot.exe that invoke cmd.exe, powershell.exe, or other shell interpreters with unexpected arguments.
- Outbound network connections initiated by processes parented to Greenshot.exe shortly after a screenshot export action.
Detection Strategies
- Monitor process creation events where the parent process is Greenshot.exe and the child is a scripting host or LOLBin.
- Hunt for command-line arguments referencing screenshot file paths that contain shell metacharacters.
- Inventory installed Greenshot versions across endpoints and flag any host running 1.3.310 or earlier.
Monitoring Recommendations
- Enable command-line auditing (Windows Event ID 4688) to capture full process arguments for Greenshot child processes.
- Forward endpoint telemetry to a centralized analytics platform for correlation of suspicious Greenshot descendants.
- Alert on Greenshot configurations that reference cmd.exe or powershell.exe in external command templates.
How to Mitigate CVE-2026-22035
Immediate Actions Required
- Upgrade Greenshot to version 1.3.311 or later on all affected Windows endpoints.
- Audit existing Greenshot ExternalCommand plugin configurations for entries invoking shell interpreters and remove or harden them.
- Restrict write access to screenshot output directories to trusted users only.
Patch Information
The fix is delivered in Greenshot 1.3.311. The patched FormatArguments method rejects filenames containing shell metacharacters, warns when arguments templates reference shell interpreters, and applies additional quoting. Review the GitHub Security Advisory GHSA-7hvw-q8q5-gpmj, the remediation commit, and the Greenshot v1.3.311 release notes for details.
Workarounds
- Disable or remove the ExternalCommand plugin until the upgrade to 1.3.311 can be completed.
- Configure Greenshot to save screenshots with sanitized, application-controlled filenames rather than user-supplied names.
- Apply application allowlisting to prevent Greenshot from launching unexpected child processes such as cmd.exe or powershell.exe.
# Verify installed Greenshot version on Windows (PowerShell)
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "Greenshot*" } |
Select-Object DisplayName, DisplayVersion, Publisher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
