• Home
  • cyber
  • Notepad++: Critical Notepad++ Vulnerability Enables Arbitrary Code Execution
cyber Vulnerability

Notepad++: Critical Notepad++ Vulnerability Enables Arbitrary Code Execution

May 26, 2026 2 min read
Notepad++: Critical Notepad++ Vulnerability Enables Arbitrary Code Execution

Notepad++ Patches Critical Arbitrary Code Execution Vulnerabilities in Emergency Update

On May 26, 2026, the Notepad++ development team released an emergency patch (v8.9.6.1) to address three security vulnerabilities, two of which could allow arbitrary code execution on affected systems. Users running version 8.9.6 or earlier are impacted and advised to update immediately.

The vulnerabilities, tracked as CVE-2026-48770 (medium severity), CVE-2026-48778 (critical), and CVE-2026-48800 (critical), stem from improper handling of configuration files. The most severe flaw, CVE-2026-48778, involves the unvalidated processing of the <GUIConfig name="commandLineInterpreter"> tag in config.xml. When a user triggers the File → Open Containing Folder → cmd action, Notepad++ executes the specified interpreter without validation, enabling attackers to replace cmd.exe with malicious executables such as calc.exe in a proof-of-concept exploit.

Exploitation requires no elevated privileges and can occur through multiple attack vectors, including:

  • Direct modification of %APPDATA%\Notepad++\config.xml
  • Malicious shortcuts (.lnk) redirecting Notepad++ to attacker-controlled settings
  • Cloud sync poisoning via tampered configuration files
  • Social engineering tactics, such as tricking users into extracting malicious archives

A similar flaw (CVE-2026-48800) affects shortcuts.xml, following an analogous exploitation path. The patch in v8.9.6.1 mitigates these risks by implementing allowlists for permitted interpreters, validating executable paths, and introducing user confirmation dialogs before execution. Developers have been urged to adopt these security measures in future updates.

Source: https://cyberpress.org/notepad-vulnerability/

Notepad++ cybersecurity rating report: https://www.rankiteo.com/company/notepad-plus-plus

"id": "NOT1779963952",
"linkid": "notepad-plus-plus",
"type": "Vulnerability",
"date": "5/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'customers_affected': 'Users running Notepad++ version '
                                              '8.9.6 or earlier',
                        'industry': 'Technology/Software Development',
                        'name': 'Notepad++',
                        'type': 'Software'}],
 'attack_vector': ['Direct modification of config.xml',
                   'Malicious shortcuts (.lnk)',
                   'Cloud sync poisoning',
                   'Social engineering'],
 'customer_advisories': 'Users running version 8.9.6 or earlier are advised to '
                        'update immediately to patch critical vulnerabilities.',
 'date_publicly_disclosed': '2026-05-26',
 'date_resolved': '2026-05-26',
 'description': 'On May 26, 2026, the Notepad++ development team released an '
                'emergency patch (v8.9.6.1) to address three security '
                'vulnerabilities, two of which could allow arbitrary code '
                'execution on affected systems. The vulnerabilities stem from '
                'improper handling of configuration files, enabling attackers '
                'to execute malicious code via unvalidated processing of '
                'configuration tags in config.xml and shortcuts.xml.',
 'impact': {'operational_impact': 'Potential arbitrary code execution on '
                                  'affected systems',
            'systems_affected': 'Notepad++ versions 8.9.6 and earlier'},
 'investigation_status': 'Resolved',
 'post_incident_analysis': {'corrective_actions': ['Allowlists for permitted '
                                                   'interpreters',
                                                   'Validation of executable '
                                                   'paths',
                                                   'User confirmation dialogs '
                                                   'before execution'],
                            'root_causes': 'Improper handling of configuration '
                                           'files (config.xml and '
                                           'shortcuts.xml) leading to '
                                           'unvalidated code execution'},
 'recommendations': 'Users are advised to update to Notepad++ v8.9.6.1 '
                    'immediately. Developers should adopt security measures '
                    'such as allowlists and validation for executable paths in '
                    'future updates.',
 'references': [{'source': 'Notepad++ Security Advisory'}],
 'response': {'communication_strategy': 'Advisory to update immediately',
              'containment_measures': 'Emergency patch (v8.9.6.1) released',
              'remediation_measures': ['Implemented allowlists for permitted '
                                       'interpreters',
                                       'Validated executable paths',
                                       'Introduced user confirmation dialogs '
                                       'before execution']},
 'title': 'Notepad++ Patches Critical Arbitrary Code Execution Vulnerabilities '
          'in Emergency Update',
 'type': 'Arbitrary Code Execution',
 'vulnerability_exploited': ['CVE-2026-48770',
                             'CVE-2026-48778',
                             'CVE-2026-48800']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.