Windows Greenshot Vulnerability Lets Attackers Execute Malicious Code – PoC Published

A critical security vulnerability in the popular Greenshot screenshot utility has been discovered that allows local attackers to execute arbitrary malicious code within the trusted application process.

The vulnerability, tracked as CVE-2025-59050, affects Greenshot versions up to 1.3.300 and has been patched in version 1.3.301 released on September 16, 2025.

Greenshot image editor interface showing capture options and screenshot destination settings on Windows

Critical Deserialization Flaw Exposes Users to Local Attacks

The vulnerability stems from Greenshot’s unsafe handling of Windows inter-process communication through the WM_COPYDATA message system.

Security researcher RipFran discovered that the application directly deserializes attacker-controlled data using the dangerous BinaryFormatter.Deserialize() method without proper validation.

Greenshot screenshot utility settings and capture options interface on Windows

When Greenshot processes WM_COPYDATA messages in its WndProc override function, it copies incoming bytes from any local process ...