CVE-2026-62294 in flameshot
Summary
by MITRE • 07/15/2026
Flameshot is powerful yet simple to use screenshot software. Prior to 14.0.0, the Open With feature wrote screenshots to a predictable temporary path and followed symlinks, creating a time-of-check to time-of-use race that allowed a local unprivileged attacker on the same machine to pre-plant a symlink and cause Flameshot to write PNG data through it, overwriting any file the victim user could write. This issue is fixed in version 14.0.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in Flameshot prior to version 14.0.0 represents a classic time-of-check to time-of-use race condition that exploited predictable temporary file handling mechanisms within the application's Open With feature. This flaw existed in the software's approach to managing temporary files during screenshot processing, where the application would create files at predetermined locations in the filesystem without proper security measures to prevent malicious interference. The issue specifically manifested when Flameshot attempted to write screenshot data to temporary directories, creating opportunities for local privilege escalation through symlink manipulation.
The technical implementation of this vulnerability involved the application's failure to properly validate file paths during the temporary file creation process. When users invoked the Open With feature, Flameshot would generate temporary files at known locations within the system's temporary directory structure. The software's design followed symbolic links without adequate safeguards, allowing attackers to establish malicious symlinks in the expected temporary path before the legitimate file creation occurred. This race condition created a window where an unprivileged attacker could manipulate the filesystem to redirect file writes to arbitrary locations, effectively bypassing normal access controls that would normally prevent such modifications.
The operational impact of this vulnerability extends beyond simple file overwrites, as it enabled local attackers to potentially compromise user data integrity and system security through carefully orchestrated symlink placement. The attack vector required minimal privileges and could be executed by any user on the same machine, making it particularly concerning for multi-user systems or environments where users might not fully trust their peers. Once successfully exploited, the vulnerability could allow an attacker to overwrite critical files, inject malicious content into user documents, or potentially disrupt normal system operations through strategic file replacement attacks. The predictable nature of the temporary paths made this attack surface easily exploitable without requiring extensive reconnaissance or specialized knowledge.
This vulnerability aligns with CWE-367, which specifically addresses Time-of-Check to Time-of-Use (TOCTOU) race conditions, and represents a common pattern in software development where proper file system validation and atomic operations are not implemented. From an ATT&CK framework perspective, this issue maps to techniques involving privilege escalation through local exploitation and manipulation of application temporary files. The fix implemented in version 14.0.0 likely addressed the root cause by implementing proper temporary file handling practices including atomic creation methods, non-predictable temporary paths, or explicit symlink resolution safeguards that prevent the race condition from occurring. Organizations should ensure all users upgrade to version 14.0.0 or later to mitigate this risk and maintain system integrity in environments where multiple users share the same machine or system resources.