cbcvebase.
CVE-2026-22035
published 2026-01-08

CVE-2026-22035: Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename…

PriorityP346high7.3CVSS 3.1
AVLACLPRLUIRSUCHIHAH
EPSS
0.90%
55.1th percentile
Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311.

Affected

2 ranges
VendorProductVersion rangeFixed in
getgreenshotgreenshot< 1.3.3111.3.311
greenshotgreenshot< 1.3.3111.3.311
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.