Monthly
Trusted-directory validation bypass in Notepad++ 8.9.6.1 lets a crafted executable path defeat the isInTrustedDirectory() check added by the prior CVE-2026-48800 fix, allowing arbitrary code execution via the Run command. Because the check uses a prefix match (PathIsPrefix-style) without canonicalizing the path first, a string beginning with a trusted directory but containing ..\..\ traversal resolves to an untrusted location yet still passes validation, causing ShellExecute() to launch an attacker-controlled binary. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; it requires local user interaction and is fixed in 8.9.6.2.
Trusted-directory validation bypass in Notepad++ 8.9.6.1 lets a crafted executable path defeat the isInTrustedDirectory() check added by the prior CVE-2026-48800 fix, allowing arbitrary code execution via the Run command. Because the check uses a prefix match (PathIsPrefix-style) without canonicalizing the path first, a string beginning with a trusted directory but containing ..\..\ traversal resolves to an untrusted location yet still passes validation, causing ShellExecute() to launch an attacker-controlled binary. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; it requires local user interaction and is fixed in 8.9.6.2.