Critical Notepad++ Flaws Allow Arbitrary Code Execution

An urgent security update addresses three critical vulnerabilities in Notepad++, the widely used open-source text editor for Windows. Among these are two arbitrary code execution flaws, which could enable attackers to silently deploy and run malicious programs on a victim’s machine.

The Notepad++ development team released version v8.9.6.1 on May 26, 2026, patching all three vulnerabilities. Users running v8.9.6 or earlier are urged to update immediately.

Notepad++ Vulnerabilities

The update resolves the following vulnerabilities:

The most severe of the three is CVE-2026-48778, which targets the <GUIConfig name="commandLineInterpreter"> tag inside Notepad++’s config.xml file.

The editor reads this value through NppXml::value() in Parameters.cpp and stores it without any validation, whitelist, or digital signature check.

When a user triggers File → Open Containing Folder → cmd, the application creates a command object using the attacker-controlled string and passes it directly to ShellExecute() effectively executing whatever executable the attacker has planted.

A simple proof-of-concept payload placing calc.exe in the XML tag causes Windows Calculator to launch instead of the intended command prompt, confirming full code execution capability.

Researchers identified several realistic paths an attacker could exploit CVE-2026-48778:

• Direct config file write — any process running under the same user account can modify %APPDATA%Notepad++config.xml
• Malicious shortcut (.lnk) — using the -settingsDir= flag to redirect Notepad++ to an attacker-controlled settings directory.
• Cloud sync poisoning — Notepad++ supports a user-configurable cloud path, which an attacker could poison through compromised cloud storage.
• Social engineering via archive extraction — tricking users into extracting malicious archives that drop a tampered config into AppData.

CVE-2026-48800 follows a similar exploitation pattern but targets shortcuts.xml instead.

Mitigation

All three vulnerabilities are patched in Notepad++ v8.9.6.1, available now on the official releases page.

Security researchers additionally recommend that Notepad++ implement a whitelist of permitted command-line interpreters (such as cmd.exe, powershell.exe), validate executable paths against system directories, and introduce a user confirmation dialog before executing any shell command.

Enterprise environments should prioritize patching, particularly where users operate shared or cloud-synced configuration directories.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.