๐Ÿ” CVE Alert

CVE-2026-62294

UNKNOWN 0.0

Flameshot: OCTOU symlink attack via predictable /tmp path in Flameshot "Open With"

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Flameshot is powerful yet simple to use screenshot software. Prior to 14.0.0, the Open With feature wrote screenshots to a predictable temporary path and followed symlinks, creating a time-of-check to time-of-use race that allowed a local unprivileged attacker on the same machine to pre-plant a symlink and cause Flameshot to write PNG data through it, overwriting any file the victim user could write. This issue is fixed in version 14.0.0.

CWE CWE-362 CWE-377
Vendor flameshot-org
Product flameshot
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for flameshot-org flameshot

Be the first to know when new unknown vulnerabilities affecting flameshot-org flameshot are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

flameshot-org / flameshot
< 14.0.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/flameshot-org/flameshot/security/advisories/GHSA-fqqf-4rj8-c392 github.com: https://github.com/flameshot-org/flameshot/pull/4716 github.com: https://github.com/flameshot-org/flameshot/commit/936716b8d8b7052be461c3d5e2f88492b6eb3b96 github.com: https://github.com/flameshot-org/flameshot/releases/tag/v14.0.0