Skip to main content

Notepad Plus Plus CVE-2026-48778

| EUVDEUVD-2026-39907 HIGH
OS Command Injection (CWE-78)
2026-06-26 GitHub_M
7.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 26, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 26, 2026 - 21:24 vuln.today
Analysis Generated
Jun 26, 2026 - 21:24 vuln.today

DescriptionCVE.org

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signature check. When the user triggers IDM_FILE_OPEN_CMD (File → Open Containing Folder → cmd), NppCommands.cpp:228 creates a Command object with this value and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. This vulnerability is fixed in 8.9.6.1.

AnalysisAI

Local code execution in Notepad++ before 8.9.6.1 occurs because the <GUIConfig name="commandLineInterpreter"> value in config.xml is loaded into _nppGUI._commandLineInterpreter with no validation, whitelist, or signature check, then passed directly to ShellExecute when a user invokes File → Open Containing Folder → cmd. An attacker who can plant or modify config.xml runs an arbitrary executable in the victim's session the next time they use this menu action. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Identify all systems running Notepad++ versions before 8.9.6.1; restrict write permissions on %APPDATA%\Notepad++ and installation directories to prevent unauthorized config modifications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy