CVE-2026-62294 PUBLISHED

Flameshot: OCTOU symlink attack via predictable /tmp path in Flameshot "Open With"

Assigner: GitHub_M
Reserved: 13.07.2026 Published: 15.07.2026 Updated: 15.07.2026

Flameshot is powerful yet simple to use screenshot software. Prior to 14.0.0, the Open With feature wrote screenshots to a predictable temporary path and followed symlinks, creating a time-of-check to time-of-use race that allowed a local unprivileged attacker on the same machine to pre-plant a symlink and cause Flameshot to write PNG data through it, overwriting any file the victim user could write. This issue is fixed in version 14.0.0.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 5.1

Product Status

Vendor flameshot-org
Product flameshot
Versions
  • Version < 14.0.0 is affected

References

Problem Types

  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE
  • CWE-377: Insecure Temporary File CWE