CVE-2026-25792 in Greenshot
Summary
by MITRE • 03/20/2026
Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application’s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/29/2026
The vulnerability identified as CVE-2026-25792 affects Greenshot, a popular open source Windows screenshot utility that has been widely used for capturing and managing screen images. This security flaw exists in versions 1.3.312 and earlier, representing a significant concern for users who rely on this tool for their daily operations. The vulnerability stems from improper handling of executable paths within the application's codebase, specifically when the software attempts to launch explorer.exe to display the most recent screenshot directory. This issue falls under the category of binary hijacking and executable search path vulnerabilities, which are commonly classified as CWE-426 and CWE-78 in the Common Weakness Enumeration catalog. The vulnerability represents a critical security risk because it allows for arbitrary code execution through a local attack vector that requires minimal user interaction.
The technical exploitation of this vulnerability occurs when a user double-clicks the application's tray icon, which triggers the automatic opening of the directory containing the most recent screenshot. The application fails to use absolute paths when executing the explorer.exe command, instead relying on the system's PATH environment variable to locate the executable. This behavior creates a window of opportunity for attackers who can manipulate the system's search order by placing a malicious executable with the same name as explorer.exe in a directory that appears earlier in the PATH sequence. When the vulnerable application executes the explorer.exe command, the system loads and executes the attacker-controlled binary instead of the legitimate Windows executable. This type of attack aligns with techniques documented in the MITRE ATT&CK framework under the T1059.001 tactic for command and scripting interpreter, specifically targeting Windows Command Prompt execution. The vulnerability is particularly dangerous because it operates entirely within the context of the application's privileges, which may include elevated permissions depending on how the application was installed or run.
The operational impact of this vulnerability extends beyond simple code execution, as it can lead to complete system compromise when attackers leverage this weakness effectively. Since the vulnerability requires only local access and user interaction through a simple tray icon click, it represents an accessible attack vector that could be exploited by malware or malicious actors who have already gained some level of access to the target system. The lack of a patch at the time of publication indicates that this vulnerability remained unaddressed for an extended period, potentially allowing attackers to develop and deploy sophisticated exploitation techniques. Organizations and individuals using affected versions of Greenshot face significant risk, as the vulnerability can be exploited to install additional malware, steal sensitive information, or establish persistent access to the compromised system. The vulnerability's exploitation does not require network connectivity or complex attack chains, making it particularly concerning for environments where system hardening and security controls may be insufficient. The binary hijacking nature of the vulnerability also means that it could potentially be combined with other local privilege escalation techniques, amplifying the overall security impact.
Mitigation strategies for this vulnerability should focus on immediate remediation and long-term security hardening measures. The most effective immediate solution is to upgrade to a patched version of Greenshot, though since no patch was available at publication time, alternative approaches must be implemented. Users should avoid double-clicking the application's tray icon when possible, or ensure that the application is running with minimal privileges to limit potential damage. System administrators should consider implementing application whitelisting policies that prevent execution of unauthorized binaries, particularly in directories that appear early in the PATH environment variable. The vulnerability's exploitation relies heavily on PATH manipulation, making it susceptible to prevention through proper system configuration and privilege management. Organizations should also consider implementing monitoring solutions that can detect suspicious process execution patterns or unauthorized binary installations in critical system directories. Security teams should conduct thorough assessments of all installed software to identify similar vulnerabilities in other applications, as this type of executable search path issue is relatively common in software that does not properly handle system calls. The vulnerability serves as a reminder of the importance of secure coding practices and the need for developers to always use absolute paths when executing system binaries to prevent such dangerous attack vectors from being exploited.