Skip to main content

Notepad++ CVE-2026-48800

| EUVDEUVD-2026-39904 HIGH
OS Command Injection (CWE-78)
2026-06-26 GitHub_M
7.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local config-file injection executed only after the victim clicks the menu item gives AV:L/UI:R; arbitrary code runs as the user with full C/I/A impact; no app privileges are required to author the XML, so PR:N.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 26, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 26, 2026 - 21:23 vuln.today
Analysis Generated
Jun 26, 2026 - 21:23 vuln.today

DescriptionCVE.org

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:3658) in the feedUserCmds() function and stored in UserCommand._cmd without any validation. When the user clicks the corresponding entry in the Run menu, NppCommands.cpp:4264 creates a Command object with string2wstring(ucmd.getCmd()) and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. The injected command appears as a normal menu item in the Run menu, making it a viable persistence mechanism. This vulnerability is fixed in 8.9.6.1.

AnalysisAI

Local OS command injection in Notepad++ before 8.9.6.1 lets an attacker who can write to a user's shortcuts.xml inject an arbitrary executable path into a <Command> entry under <UserDefinedCommands>, which feedUserCmds() loads into UserCommand._cmd with no validation and later passes straight to ShellExecute when the victim clicks the corresponding Run-menu item. Because the malicious entry renders as an ordinary Run-menu item, it doubles as a stealthy persistence mechanism that executes attacker-chosen binaries in the victim's user context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local write access to user profile
Delivery
Inject malicious <Command> into shortcuts.xml
Exploit
feedUserCmds loads value into UserCommand._cmd
Execution
Victim clicks crafted Run-menu item
Persist
ShellExecute runs attacker binary
Impact
Code execution and persistence as user

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the attacker to write to the victim's shortcuts.xml configuration file and inject a crafted <Command> value inside <UserDefinedCommands>, and (2) the victim to subsequently click the malicious entry in Notepad++'s Run menu (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 7.8 High) accurately frames this as a local, low-complexity issue requiring victim interaction (clicking the Run-menu entry) but yielding full confidentiality, integrity, and availability impact via arbitrary code execution in the user's context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local write access to a user's Notepad++ profile (for example via prior low-privilege access, a shared workstation, or a malicious installer) edits shortcuts.xml to add a <Command> entry whose text is a path to a malicious executable, labeled as a benign-looking Run-menu item. The next time the victim opens that Run-menu entry, ShellExecute launches the attacker's binary in the victim's context. …
Remediation Upgrade to Notepad++ 8.9.6.1 or later, which is the vendor-released patch (8.9.6.1) that adds path and trust validation before ShellExecute (commit 6b3dc52). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems with Notepad++ deployment and document current versions; prioritize development and analyst workstations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48800 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy