Vulnerability Overview
CVE ID: CVE-2026-22035
Product: Greenshot (Windows)
Affected Component: ExternalCommand plugin
Vulnerability Type: OS Command Injection (CWE-78)
Attack Vector: Local
Impact: Arbitrary command execution with user privileges
Severity: High
CVSS Score: ~7.8 (High)
Exploitability: Medium (requires user interaction or local file/config access)
Exploit Availability: Publicly known Proof-of-Concepts
Description
CVE-2026-22035 is a command injection vulnerability affecting the ExternalCommand feature of Greenshot on Windows. This plugin allows users to define custom commands that process screenshots (for example, sending a screenshot to another application or script).
The issue occurs because Greenshot directly inserts a filename into a command string that is executed by the Windows shell, without properly sanitizing or escaping it. If the filename contains shell metacharacters, the shell interprets them as additional commands instead of harmless text.
As a result, a specially crafted filename can cause Greenshot to execute arbitrary operating system commands when the external command action is triggered.
Root Cause
Internally, Greenshot builds command strings using a format mechanism where the screenshot filename is injected into a command template. The application does not validate or escape the filename before execution.
Because Windows command interpreters such as cmd.exe or powershell.exe treat characters like &, |, &&, ;, and ^ as command separators, an attacker can embed these characters into a filename. When Greenshot executes the external command, the shell processes the injected content as executable commands.
This is a classic example of improper neutralization of OS command input.
How the Vulnerability Can Be Exploited
This vulnerability is local, but still dangerous. Common exploitation scenarios include:
1. Filename-Based Injection
An attacker provides a file with a malicious filename, such as through:
- A shared network folder
- A ZIP archive
- Email attachments
- USB drives
When the user opens or processes this file using Greenshot’s ExternalCommand feature, the malicious filename is passed directly to the shell, causing unintended commands to execute.
Example (conceptual only):
screenshot.png & calc.exe
When inserted into a shell command, this would execute Calculator in addition to the intended action.
2. Configuration-Based Injection (Persistent)
Greenshot supports a configuration file (greenshot-fixed.ini) that can define external commands globally. If an attacker can modify or plant this configuration file (for example, via malware or a compromised installer), they can inject malicious command templates that execute every time Greenshot runs an external command.
This method is more persistent and can lead to repeated command execution without further user interaction.
Impact
Successful exploitation allows an attacker to:
- Execute arbitrary commands as the current user
- Install malware or backdoors
- Exfiltrate user-accessible data
- Launch ransomware or credential-stealing tools
- Establish persistence through scheduled tasks or registry modifications
While the attack does not grant administrative privileges by default, it can easily be chained with privilege escalation vulnerabilities.
Proof of Concept (PoC)
Proof-of-Concept techniques are publicly available and demonstrate:
- Triggering command execution via crafted filenames
- Exploitation through malicious external command templates
These PoCs are intended strictly for educational, defensive, and testing purposes. They confirm exploitability but should not be used in production or against systems without explicit authorization.
MITRE Mapping
- CWE-78: Improper Neutralization of Special Elements used in an OS Command
- ATT&CK Technique:
- T1059 – Command and Scripting Interpreter
Detection & Monitoring
Recommended Log Sources
To detect exploitation attempts, monitor the following:
- Windows Security Logs (Event ID 4688 – Process Creation)
- Sysmon Logs (Event ID 1 – Process Create, with full command line)
- PowerShell Logs (Script Block Logging – Event ID 4104)
- EDR / XDR Telemetry
- File Integrity Monitoring for Greenshot configuration files
What to Look For
Indicators of potential exploitation include:
Greenshot.exespawningcmd.exeorpowershell.exe- Command lines containing shell separators (
&,|,&&,;) - Unusual child processes such as
calc.exe,whoami.exe,curl.exe, orbitsadmin.exelaunched from Greenshot - Unexpected creation or modification of
greenshot-fixed.ini - External command templates invoking shell interpreters directly
Detection Logic
- Alert when:
- Parent process =
Greenshot.exe - Child process =
cmd.exeorpowershell.exe - Command line contains shell metacharacters
- Parent process =
This logic can be implemented in SIEM, EDR, or Sysmon-based monitoring solutions.
Mitigation & Remediation
Immediate Actions
- Upgrade Greenshot immediately to the fixed version.
- Disable the ExternalCommand plugin if it is not strictly required.
- Remove or lock down write access to Greenshot configuration files.
Long-Term Security Controls
- Enforce least privilege for user accounts
- Use application allowlisting
- Centralize endpoint logging
- Monitor parent-child process relationships
- Regularly audit user-writable application configuration files
Official Patch / Upgrade
The issue has been fixed by the Greenshot maintainers.
Upgrade to Greenshot version 1.3.311 or later.
Official download and patch link:
https://getgreenshot.org/downloads/
Final Takeaway
Although this vulnerability is local, it is highly relevant in real-world environments where users routinely handle files from untrusted sources. Any application that passes user-controlled input to a system shell without strict validation becomes a powerful execution vector for attackers.
Timely patching, proper monitoring, and disabling unnecessary features are the most effective defenses against CVE-2026-22035.
