Description
Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application’s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication.
Published: 2026-03-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Check Version
AI Analysis

Impact

Greenshot, an open‑source Windows screenshot utility, contains a flaw where the application launches explorer.exe without an absolute path. The program accepts a user‑supplied executable name and searches the path hierarchy, allowing a local attacker to place a malicious file with the same name as a legitimate Windows binary in a directory that is searched before explorer.exe. When the user double‑clicks the tray icon, Greenshot opens the folder containing the most recent screenshot, triggering the vulnerable behavior and giving the attacker code execution in the context of the Greenshot process.

Affected Systems

The affected product is Greenshot for Windows. Versions 1.3.312 and earlier are vulnerable; no patch was available at publication time, and later releases beyond 1.3.312 are not affected.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate severity. EPSS is below 1%, indicating a low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker must have local access to the machine and be able to place a malicious executable in a directory that appears before explorer.exe in the search order. Successful exploitation results in code execution within the Greenshot application’s user context; no escalation to higher privileges is described in the available data.

Generated by OpenCVE AI on March 23, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the Greenshot version installed; if version 1.3.312 or lower, check the vendor’s website for an update or plan to upgrade when an official fix becomes available.
  • Avoid leaving files with names matching legitimate system binaries in directories that the application searches prior to explorer.exe; keep such directories clean.
  • If an update is not immediately possible and the ExternalCommand plugin is not required, disable or uninstall the plugin to reduce the attack surface.

Generated by OpenCVE AI on March 23, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Getgreenshot
Getgreenshot greenshot
CPEs cpe:2.3:a:getgreenshot:greenshot:*:*:*:*:*:*:*:*
Vendors & Products Getgreenshot
Getgreenshot greenshot

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Greenshot
Greenshot greenshot
Vendors & Products Greenshot
Greenshot greenshot

Fri, 20 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application’s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication.
Title Greenshot Vulnerable to OS Command Injection via ExternalCommand Plugin
Weaknesses CWE-426
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Getgreenshot Greenshot
Greenshot Greenshot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T03:55:58.579Z

Reserved: 2026-02-05T19:58:01.639Z

Link: CVE-2026-25792

cve-icon Vulnrichment

Updated: 2026-03-20T15:59:23.580Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T11:18:01.753

Modified: 2026-03-23T15:51:14.620

Link: CVE-2026-25792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:36Z

Weaknesses