Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code

Staff Editor 2026-05-29
Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code

Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code

https://cybersecuritynews.com/critical-notepad-vulnerabilities/

Publish Date: 2026-05-29 18:51:00

Source Domain: cybersecuritynews.com

Notepad++, one of the most widely used open-source text editors for Windows, has released an urgent security update addressing three vulnerabilities, including two arbitrary code execution flaws that could allow attackers to silently run malicious programs on a victim’s machine.

The Notepad++ development team released version v8.9.6.1 on May 26, 2026, patching all three vulnerabilities. Users running v8.9.6 or earlier are urged to update immediately.

Notepad++ Vulnerabilities

The update resolves the following vulnerabilities:

CVE ID Severity Description
CVE-2026-48770 High Crash via malformed XML structure
CVE-2026-48778 Critical Arbitrary code execution via config.xml
CVE-2026-48800 Critical Arbitrary code execution via shortcuts.xml

The most severe of the three is CVE-2026-48778, which targets the tag inside Notepad++’s config.xml file.

The editor reads this value through NppXml::value() in Parameters.cpp and stores it without any validation, whitelist, or digital signature check.

When a user triggers File → Open Containing Folder → cmd, the application creates a command object using the attacker-controlled string and passes it directly to ShellExecute() effectively executing whatever executable the attacker has planted.

A simple proof-of-concept payload placing calc.exe in the XML tag causes Windows Calculator to launch instead of the intended command prompt, confirming full code execution capability.

Researchers identified several realistic paths an attacker could exploit CVE-2026-48778:

  • Direct config file write — any process running under the same user account can modify %APPDATA%Notepad++config.xml
  • Malicious shortcut (.lnk) — using the -settingsDir= flag to redirect Notepad++ to an attacker-controlled settings directory.
  • Cloud sync poisoning — Notepad++ supports a user-configurable cloud path, which an attacker could poison through compromised cloud storage.
  • Social engineering via archive extraction —…

Source

More Stories

Ashley Devoto Named Air Force CIO

Ashley Devoto Named Air Force CIO

Staff Editor 2026-06-05
A First Step to Unpacking Cyber, Deception, and Intelligence Contests

A First Step to Unpacking Cyber, Deception, and Intelligence Contests

Staff Editor 2026-06-05
Mythos rejuvenated cybersecurity. Earnings put the rally to the test

Mythos rejuvenated cybersecurity. Earnings put the rally to the test

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy