{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25792", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T19:58:01.639Z", "datePublished": "2026-03-20T10:04:34.752Z", "dateUpdated": "2026-03-20T10:04:44.475Z"}, "containers": {"cna": {"title": "Greenshot Vulnerable to OS Command Injection via ExternalCommand Plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "lang": "en", "description": "CWE-426: Untrusted Search Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/greenshot/greenshot/security/advisories/GHSA-f8v9-7fph-fr2j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-f8v9-7fph-fr2j"}], "affected": [{"vendor": "greenshot", "product": "greenshot", "versions": [{"version": "<= 1.3.312", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:04:44.475Z"}, "descriptions": [{"lang": "en", "value": "Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application\u2019s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication."}], "source": {"advisory": "GHSA-f8v9-7fph-fr2j", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application\u2019s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication."}], "id": "CVE-2026-25792", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T11:18:01.753", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-f8v9-7fph-fr2j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T11:21:13.830448+00:00", "value": {"mitigation_remediation": ["Check the Greenshot repository or official website for an update; once released apply the latest version.", "If no update is available, monitor the project's repository for a patch and apply it as soon as possible.", "Restrict write permissions to the screenshot directories used by Greenshot to prevent an attacker from dropping a malicious explorer.exe file.", "Avoid placing files named explorer.exe in directories that Greenshot may search for executables."], "summary": {"action": "Assess Impact", "impact": "Local Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems are Greenshot version 1.3.312 and all earlier releases. The product in question is greenshot:greenshot. Users of these versions are vulnerable regardless of OS configuration.", "description_and_impact": "The vulnerability allows a local attacker to execute arbitrary code in the context of Greenshot. When a user double\u2011clicks the tray icon, Greenshot launches explorer.exe without an absolute path, causing it to search for the executable in the system's binary path. By placing a malicious executable with the same name as explorer.exe in a directory that is searched before the legitimate Windows binary, an attacker can hijack the launch and run code with the application's privileges. This is an instance of CWE\u2011426 (Untrusted Search Path) and can lead to local code execution and potential privilege escalation.", "risk_and_exploitability": "The CVSS score is 6.5, indicating moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires local access and the ability to place a file named explorer.exe in a prioritized search directory, so the attack vector is purely local. The impact is confined to the compromised Windows machine, but because the code runs under the Greenshot process it could potentially be leveraged for further attacks."}}}}, "created": "2026-03-20T14:13:48.307208+00:00", "updated": "2026-03-20T14:13:48.307246+00:00", "vendors": []}