Skip to main content

Notepad++ EUVDEUVD-2026-39905

| CVE-2026-46710 HIGH
Untrusted Search Path (CWE-426)
2026-06-26 GitHub_M
7.5
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.0 HIGH

Local-only binary planting (AV:L); multiple preconditions and a privileged user must select the attacker dir, so AC:H and UI:R; attacker needs no prior privileges (PR:N); code runs as installer with full C/I/A.

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 26, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 26, 2026 - 21:24 vuln.today
Analysis Generated
Jun 26, 2026 - 21:24 vuln.today

DescriptionCVE.org

Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installation contextMenu directory. If an attacker can pre-place a malicious powershell.exe in a user-writable custom installation directory, and a privileged user later runs the installer and selects that directory, the attacker-controlled executable is launched with the elevated privileges of the installer. This vulnerability is fixed in 8.9.6.

AnalysisAI

Local privilege escalation in the Notepad++ Windows installer (versions 8.9.4 through 8.9.5) lets an unprivileged local attacker gain the elevated privileges of the installer by planting a malicious powershell.exe. Because the installer calls powershell.exe by name (not absolute path) after setting the working directory to the installation contextMenu folder, a privileged user who installs into an attacker-writable custom directory triggers execution of the attacker's binary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain write access to user-writable install directory
Delivery
Plant malicious powershell.exe beside NppShell.msix
Exploit
Privileged user runs installer, selects that directory
Execution
Installer invokes bare 'powershell' from working dir
Impact
Attacker binary executes with installer's elevated privileges

Vulnerability AssessmentAI

Exploitation Requires all of: (1) the attacker can pre-place a malicious powershell.exe in a user-writable custom installation directory; (2) a privileged user subsequently runs the affected Notepad++ installer (8.9.4-8.9.5); and (3) that privileged user explicitly selects the attacker-controlled directory as the install target, triggering the context-menu / Add-AppxPackage registration step. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real-but-conditional risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can write to a shared or user-controlled directory (e.g., a common downloads or staging folder) drops a malicious powershell.exe there. An administrator later runs the Notepad++ installer and selects that directory as the install target; during context-menu registration the installer launches the planted powershell.exe with elevated privileges, executing the attacker's code as the installing (privileged) user. …
Remediation Vendor-released patch: upgrade to Notepad++ 8.9.6, which resolves the PowerShell path from the HKLM registry (SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell) and invokes that absolute path instead of the bare 'powershell' name; obtain it via the official release and review the advisory at https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-6f8f-vmfc-r8c5. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Scan infrastructure to identify all systems running Notepad++ 8.9.4-8.9.5; document affected systems and restrict installation permissions where possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy