CVE-2026-22035 – Greenshot Vulnerable to OS Command Injection via ExternalCommand Plugin

CVE ID : CVE-2026-22035

Published : Jan. 8, 2026, 1:15 a.m. | 1 hour, 12 minutes ago

Description : Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311.

Severity: 7.7 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…