Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (GitHub_M) · only source for this CVE.
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signature check. When the user triggers IDM_FILE_OPEN_CMD (File → Open Containing Folder → cmd), NppCommands.cpp:228 creates a Command object with this value and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. This vulnerability is fixed in 8.9.6.1.
AnalysisAI
Local code execution in Notepad++ before 8.9.6.1 occurs because the <GUIConfig name="commandLineInterpreter"> value in config.xml is loaded into _nppGUI._commandLineInterpreter with no validation, whitelist, or signature check, then passed directly to ShellExecute when a user invokes File → Open Containing Folder → cmd. An attacker who can plant or modify config.xml runs an arbitrary executable in the victim's session the next time they use this menu action. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Identify all systems running Notepad++ versions before 8.9.6.1; restrict write permissions on %APPDATA%\Notepad++ and installation directories to prevent unauthorized config modifications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Notepad Plus Plus
View allLocal OS command injection in Notepad++ before 8.9.6.1 lets an attacker who can write to a user's shortcuts.xml inject a
Trusted-directory validation bypass in Notepad++ 8.9.6.1 lets a crafted executable path defeat the isInTrustedDirectory(
Local code execution in Notepad++ before 8.9.6.4 stems from a time-of-check/time-of-use race in NppCommands.cpp: the int
Local privilege escalation in the Notepad++ Windows installer (versions 8.9.4 through 8.9.5) lets an unprivileged local
Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39907