Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local file-swap race (AV:L/AC:H); attacker needs write access to the victim's config file (PR:L) and the user must trigger a command (UI:R); full command execution gives C/I/A High.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-memory _userCommands vector, which is populated at application startup and never re-synchronized with the on-disk file (Time-of-Use). Swapping shortcuts.xml between startup and command execution causes the HMAC check to validate a clean file while a malicious command runs. An attacker with write access to shortcuts.xml places a malicious version on disk before launch, then immediately restores the legitimate file. The HMAC check at execution time validates the restored legitimate file (check passes), while the malicious payload executes from memory. This vulnerability is fixed in 8.9.6.4.
AnalysisAI
Local code execution in Notepad++ before 8.9.6.4 stems from a time-of-check/time-of-use race in NppCommands.cpp: the integrity HMAC of shortcuts.xml is verified against the on-disk file when a command fires, but the command payload is read from the _userCommands vector loaded at startup and never re-synced with disk. An attacker with write access to shortcuts.xml can plant a malicious version before launch and restore the legitimate file afterward, so the runtime HMAC check passes on the clean file while the malicious in-memory command executes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local write access to the on-disk shortcuts.xml file and the ability to win a timing race: the attacker must place the malicious shortcuts.xml before Notepad++ startup (when _userCommands is populated) and restore the legitimate file before the command-time HMAC check executes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H, base 7.5) correctly reflects a local-only attack with high complexity due to the race window, but high impact to confidentiality, integrity and availability since arbitrary user commands run. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already has write access to a victim's shortcuts.xml (for example via a prior low-privilege foothold or a writable shared profile path) replaces the file with one defining a malicious command, then restores the legitimate file once Notepad++ has loaded the tampered commands into memory. When the user triggers the affected command, the runtime HMAC check validates the restored clean file and passes, while the attacker's command executes from memory. … |
| Remediation | Vendor-released patch: upgrade Notepad++ to 8.9.6.4 or later, which caches the shortcuts.xml HMAC at startup (Parameters.cpp) and compares the cached load-time value instead of recomputing it at command time, eliminating the swap window; see advisory https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-qm4c-qg8p-qfcr and commit 4f7563c7c7f8ffa0d795ec86a7777067c7d644b5. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Notepad++ versions prior to 8.9.6.4; assess exposure on multi-user and shared systems where configuration write access is feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Notepad Plus Plus
View allLocal code execution in Notepad++ before 8.9.6.1 occurs because the <GUIConfig name="commandLineInterpreter"> value in c
Local OS command injection in Notepad++ before 8.9.6.1 lets an attacker who can write to a user's shortcuts.xml inject a
Trusted-directory validation bypass in Notepad++ 8.9.6.1 lets a crafted executable path defeat the isInTrustedDirectory(
Local privilege escalation in the Notepad++ Windows installer (versions 8.9.4 through 8.9.5) lets an unprivileged local
Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39906