Skip to main content

Notepad++ CVE-2026-52884

| EUVDEUVD-2026-39903 HIGH
Path Equivalence: 'filename.' (Trailing Dot) (CWE-42)
2026-06-26 GitHub_M
7.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local Run-command trigger with no privileges but mandatory user interaction; successful code execution in the user's context yields full C/I/A impact, matching AV:L/PR:N/UI:R.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 26, 2026 - 21:23 vuln.today
Analysis Generated
Jun 26, 2026 - 21:23 vuln.today

DescriptionCVE.org

Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a trusted directory prefix passes the check while resolving to an untrusted location. The CVE-2026-48800 patch adds isInTrustedDirectory() validation in Command::run() (RunDlg.cpp) before calling ShellExecute(). This function checks whether the resolved executable path is under a trusted directory. This vulnerability is fixed in 8.9.6.2.

AnalysisAI

Trusted-directory validation bypass in Notepad++ 8.9.6.1 lets a crafted executable path defeat the isInTrustedDirectory() check added by the prior CVE-2026-48800 fix, allowing arbitrary code execution via the Run command. Because the check uses a prefix match (PathIsPrefix-style) without canonicalizing the path first, a string beginning with a trusted directory but containing ..\..\ traversal resolves to an untrusted location yet still passes validation, causing ShellExecute() to launch an attacker-controlled binary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Plant executable in user-writable location
Delivery
Deliver crafted Run path with trusted prefix
Exploit
Bypass isInTrustedDirectory prefix check
Execution
User triggers Run command
Persist
ShellExecute resolves traversal
Impact
Arbitrary code runs as user

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim be running Notepad++ 8.9.6.1 on Windows and invoke the Run command (the feature that calls ShellExecute() via Command::run()) against a path that the attacker can influence - for example through a crafted session/configuration or a document-supplied command string. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - local attack vector, low complexity, no privileges, but mandatory user interaction, yielding full confidentiality/integrity/availability impact in the user's security context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker delivers a Notepad++ session, configuration, or document that causes the Run command to receive a path like <trusted-dir>\..\..\Users\Public\evil.exe; the prefix-based isInTrustedDirectory() check accepts it, but ShellExecute() resolves the traversal and launches the attacker's binary in the victim's context. The local, low-complexity vector means execution is reliable once the victim triggers the Run action, though the required user interaction (UI:R) means the attacker must lure the user into that step; no public POC was provided.
Remediation Vendor-released patch: 8.9.6.2 - upgrade all Windows installations of Notepad++ from 8.9.6.1 to 8.9.6.2 or later, which canonicalizes the path before the trusted-directory comparison. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Notify all users running Notepad++ 8.9.6.1 to avoid using the Run command; disable this feature via configuration management if possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52884 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy