CVE-2025-55294 CRITICAL

CVE-2025-55294: Command Injection via `format` option in screenshot-desktop

Vendor Bencevans
Product screenshot-desktop
Weakness CWE-77
Published August 19, 2025
Last update August 19, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without sanitization. This results in arbitrary command execution with the privileges of the calling process. This vulnerability is fixed in 1.15.2.

Key dates

02Disclosure timeline

August 19, 2025 CVE published
August 19, 2025 Record updated