Public March 2026
ShareX Turned Untrusted URLs into Local Process Execution
BugBunny.ai found that ShareX treated attacker-controlled URL strings from custom uploader responses and HTTP URL shorteners as executable targets. When ShareX later called Process.Start with UseShellExecute enabled, those strings could launch local executables, UNC paths, or dangerous protocol handlers on the user’s machine.
TL;DR
Attackers can trigger arbitrary code execution on a ShareX user’s machine in paths that open attacker-controlled URLs.
Untrusted uploader responses, HTTP shortener output, or stored history entries reaching URLHelpers.OpenURL().
ShareX 19.0.2 during coordinated disclosure.
CVE assigned during coordination; no patched release was listed in the advisory snapshot.
Root Cause
URLHelpers.OpenURL() accepted an arbitrary string and, when no explicit browser path was configured, passed that string straight into Process.Start as FileName with UseShellExecute set to true. On Windows, that means the value is interpreted as something to execute, not merely a URL to display.
Multiple code paths supplied unvalidated attacker-controlled values to that sink. Custom uploader responses, URL-shortener output, and manual Open URL actions all trusted data that should have been parsed and validated first. The codebase already had IsValidURL() checks elsewhere, which makes the missing validation here a clear security gap rather than an intentional design choice.
Product
ShareX
Affected
19.0.2
Patched
No patched version listed yet
Weaknesses
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-20: Improper Input Validation
Mitigation
- Validate URLs consistently before any OpenURL or Process.Start call.
- Do not pass untrusted strings to Process.Start with UseShellExecute enabled.
- Treat uploader responses and URL-shortener output as untrusted input even when they originate from configured integrations.
Credits & Disclosure
CVE-2026-33016 was assigned during coordinated disclosure based on GitHub Security Advisory GHSA-6gh8-cxfc-m3q5.