Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local-only binary planting (AV:L); multiple preconditions and a privileged user must select the attacker dir, so AC:H and UI:R; attacker needs no prior privileges (PR:N); code runs as installer with full C/I/A.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installation contextMenu directory. If an attacker can pre-place a malicious powershell.exe in a user-writable custom installation directory, and a privileged user later runs the installer and selects that directory, the attacker-controlled executable is launched with the elevated privileges of the installer. This vulnerability is fixed in 8.9.6.
AnalysisAI
Local privilege escalation in the Notepad++ Windows installer (versions 8.9.4 through 8.9.5) lets an unprivileged local attacker gain the elevated privileges of the installer by planting a malicious powershell.exe. Because the installer calls powershell.exe by name (not absolute path) after setting the working directory to the installation contextMenu folder, a privileged user who installs into an attacker-writable custom directory triggers execution of the attacker's binary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires all of: (1) the attacker can pre-place a malicious powershell.exe in a user-writable custom installation directory; (2) a privileged user subsequently runs the affected Notepad++ installer (8.9.4-8.9.5); and (3) that privileged user explicitly selects the attacker-controlled directory as the install target, triggering the context-menu / Add-AppxPackage registration step. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to a real-but-conditional risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can write to a shared or user-controlled directory (e.g., a common downloads or staging folder) drops a malicious powershell.exe there. An administrator later runs the Notepad++ installer and selects that directory as the install target; during context-menu registration the installer launches the planted powershell.exe with elevated privileges, executing the attacker's code as the installing (privileged) user. … |
| Remediation | Vendor-released patch: upgrade to Notepad++ 8.9.6, which resolves the PowerShell path from the HKLM registry (SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell) and invokes that absolute path instead of the bare 'powershell' name; obtain it via the official release and review the advisory at https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-6f8f-vmfc-r8c5. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Scan infrastructure to identify all systems running Notepad++ 8.9.4-8.9.5; document affected systems and restrict installation permissions where possible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Notepad Plus Plus
View allLocal code execution in Notepad++ before 8.9.6.1 occurs because the <GUIConfig name="commandLineInterpreter"> value in c
Local OS command injection in Notepad++ before 8.9.6.1 lets an attacker who can write to a user's shortcuts.xml inject a
Trusted-directory validation bypass in Notepad++ 8.9.6.1 lets a crafted executable path defeat the isInTrustedDirectory(
Local code execution in Notepad++ before 8.9.6.4 stems from a time-of-check/time-of-use race in NppCommands.cpp: the int
Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via
Same weakness CWE-426 – Untrusted Search Path
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39905