Back

Critical Notepad++ Vulnerabilities Allow Remote Code Execution

Severity: High (Score: 72.0)

Sources: Thecyberexpress, Gbhackers, Cybersecuritynews, Csoonline

Published: 2026-05-28 · Updated: 2026-05-29

Keywords: notepad, code, critical, execution, vulnerabilities, arbitrary, allow

Severity indicators: critical, vulnerabilities, flaw, remote code execution, ot

Summary

Notepad++ has released version 8.9.6.1 to patch three vulnerabilities, including two critical flaws (CVE-2026-48778 and CVE-2026-48800) that enable arbitrary code execution on Windows systems. These vulnerabilities arise from improper handling of XML configuration files, allowing local attackers to execute commands by tampering with user settings. The flaws affect all versions up to 8.9.6 and were disclosed on May 26, 2026. CVE-2026-48778 allows manipulation of the command-line interpreter path, while CVE-2026-48800 targets user-defined commands in the shortcuts.xml file. Both require user interaction or prior access to the AppData directory. A third lower-severity vulnerability, CVE-2026-48770, was also patched. Users are urged to update immediately to mitigate risks. Key Points: • Two critical vulnerabilities in Notepad++ allow arbitrary code execution. • Affected versions include all prior to 8.9.6; users must update to 8.9.6.1. • Attackers can exploit these flaws through tampered XML configuration files.

Detailed Analysis

**Impact** Notepad++ users on Windows systems running versions up to 8.9.6 are affected, including developers, enterprise workstations, and administrative environments globally. Exploitation could lead to remote code execution, allowing attackers to run arbitrary commands without elevated privileges, potentially compromising system integrity and enabling persistence. The vulnerabilities also enable denial-of-service conditions, disrupting normal application use. No specific data breach or sector-targeted impact was reported. **Technical Details** The primary attack vectors involve tampering with Notepad++ XML configuration files located in the user’s AppData directory: `config.xml` (CVE-2026-48778) and `shortcuts.xml` (CVE-2026-48800). Both flaws allow arbitrary command execution by injecting malicious entries that the application executes without validation. CVE-2026-48778 enables OS command injection via the “Open Containing Folder in cmd” feature by altering the command-line interpreter path. CVE-2026-48800 allows persistence through malicious Run entries in shortcuts.xml. CVE-2026-48770 causes application crashes via malformed input but does not lead to code execution. Exploits require local write access or social engineering to modify configuration files. No specific malware or external infrastructure was detailed. **Recommended Response** Apply Notepad++ version 8.9.6.1 immediately to patch all three vulnerabilities. Monitor the `%APPDATA%\Notepad++\` directory for unauthorized changes to `config.xml` and `shortcuts.xml`. Deploy endpoint detection rules to alert on unexpected execution of commands triggered via Notepad++ features. Harden user permissions to restrict write access to configuration directories and educate users to avoid extracting archives or opening shortcuts from untrusted sources.

Source articles (4)

  • Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code — Cybersecuritynews · 2026-05-28
    Notepad++, one of the most widely used open-source text editors for Windows, has released an urgent security update addressing three vulnerabilities, including two arbitrary code execution flaws that…
  • Critical Notepad++ Flaw Could Enable Remote Code Execution Attacks — Gbhackers · 2026-05-28
    Notepad++ has released version 8.9.6.1 to address multiple security vulnerabilities, including critical flaws that could allow arbitrary code execution under specific conditions. The update, published…
  • Notepad++ Patches High — Thecyberexpress · 2026-05-29
    The developers behind Notepad++ have released version 8.9.6.1 to address multiple security vulnerabilities, including critical flaws that could expose users to remote code execution (RCE) attacks unde…
  • Notepad++ vulnerabilities could enable arbitrary code execution on Windows systems — Csoonline · 2026-05-29
    Two arbitrary code execution vulnerabilities in Notepad++ let local attackers run commands of their choice on Windows machines by tampering with the editor’s XML configuration files, with both flaws r…

Timeline

  • 2026-05-26 — Vulnerabilities disclosed: Notepad++ announced three vulnerabilities, including critical RCE flaws CVE-2026-48778 and CVE-2026-48800.
  • 2026-05-26 — Patch released: Notepad++ version 8.9.6.1 was released to address the vulnerabilities and improve security.
  • 2026-05-27 — Security advisory published: GitHub Security Advisory detailed the vulnerabilities and their potential impact on users.

CVEs

  • CVE-2026-48770
  • CVE-2026-48778
  • CVE-2026-48800

Related entities

  • DDoS (Attack Type)
  • Malware (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-78 - OS Command Injection (Cwe)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • Windows (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed