{"id":"CVE-2026-25792","summary":"Greenshot Vulnerable to OS Command Injection via ExternalCommand Plugin","details":"Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application’s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication.","aliases":["GHSA-f8v9-7fph-fr2j"],"modified":"2026-04-10T05:40:47.814976Z","published":"2026-03-20T10:04:34.752Z","database_specific":{"cwe_ids":["CWE-426"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25792.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25792.json"},{"type":"ADVISORY","url":"https://github.com/greenshot/greenshot/security/advisories/GHSA-f8v9-7fph-fr2j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25792"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/greenshot/greenshot","events":[{"introduced":"0"},{"last_affected":"5a60aff83e595cf5ec7385e6093b4fd0db831d7a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.3.312"}]}}],"versions":["Greenshot-RELEASE-1.2.8.12","Greenshot-RELEASE-1.2.8.14","bug/546-admin-install","v1.3.105","v1.3.106","v1.3.108","v1.3.151","v1.3.154","v1.3.157","v1.3.178","v1.3.194","v1.3.201","v1.3.202","v1.3.203","v1.3.204","v1.3.205","v1.3.211","v1.3.213","v1.3.218","v1.3.219","v1.3.220","v1.3.223","v1.3.229","v1.3.231","v1.3.234","v1.3.235","v1.3.238","v1.3.239","v1.3.244","v1.3.246","v1.3.249","v1.3.254","v1.3.256","v1.3.258","v1.3.259","v1.3.260","v1.3.261","v1.3.262","v1.3.265","v1.3.270","v1.3.273","v1.3.274","v1.3.275","v1.3.277","v1.3.281","v1.3.284","v1.3.286","v1.3.287","v1.3.288","v1.3.289","v1.3.290","v1.3.291","v1.3.292","v1.3.293","v1.3.294","v1.3.296","v1.3.297","v1.3.298","v1.3.299","v1.3.300","v1.3.301","v1.3.302","v1.3.303","v1.3.304","v1.3.310","v1.3.311","v1.3.312","v1.3.55","v1.3.57","v1.3.63","v1.3.69","v1.3.71","v1.3.75","v1.3.76"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25792.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H"}]}