Notepad++, one of the most widely used open-source text editors for Windows, has released an urgent security update addressing three vulnerabilities, including two arbitrary code execution flaws that could allow attackers to silently run malicious programs on a victim’s machine.
The Notepad++ development team released version v8.9.6.1 on May 26, 2026, patching all three vulnerabilities. Users running v8.9.6 or earlier are urged to update immediately.
Notepad++ Vulnerabilities
The update resolves the following vulnerabilities:
| CVE ID | Severity | Description |
|---|---|---|
| CVE-2026-48770 | High | Crash via malformed XML structure |
| CVE-2026-48778 | Critical | Arbitrary code execution via config.xml |
| CVE-2026-48800 | Critical | Arbitrary code execution via shortcuts.xml |
The most severe of the three is CVE-2026-48778, which targets the config.xml file.
The editor reads this value through NppXml::value() in Parameters.cpp and stores it without any validation, whitelist, or digital signature check.
When a user triggers File → Open Containing Folder → cmd, the application creates a command object using the attacker-controlled string and passes it directly to ShellExecute() effectively executing whatever executable the attacker has planted.
A simple proof-of-concept payload placing calc.exe in the XML tag causes Windows Calculator to launch instead of the intended command prompt, confirming full code execution capability.
Researchers identified several realistic paths an attacker could exploit CVE-2026-48778:
- Direct config file write — any process running under the same user account can modify
%APPDATA%\Notepad++\config.xml - Malicious shortcut (.lnk) — using the
-settingsDir=flag to redirect Notepad++ to an attacker-controlled settings directory. - Cloud sync poisoning — Notepad++ supports a user-configurable cloud path, which an attacker could poison through compromised cloud storage.
- Social engineering via archive extraction — tricking users into extracting malicious archives that drop a tampered config into AppData.
CVE-2026-48800 follows a similar exploitation pattern but targets shortcuts.xml instead.
Mitigation
All three vulnerabilities are patched in Notepad++ v8.9.6.1, available now on the official releases page.
Security researchers additionally recommend that Notepad++ implement a whitelist of permitted command-line interpreters (such as cmd.exe, powershell.exe), validate executable paths against system directories, and introduce a user confirmation dialog before executing any shell command.
Enterprise environments should prioritize patching, particularly where users operate shared or cloud-synced configuration directories.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
