Skip to main content

Notepad Plus Plus

6 CVEs product

Monthly

CVE-2026-48770 MEDIUM PATCH This Month

Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via a malformed WM_COPYDATA message. The COPYDATA_FULL_CMDLINE handler in NppBigSwitch.cpp dereferences COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* without validating against the COPYDATASTRUCT.cbData length field, enabling an out-of-bounds read that results in process termination. No active exploitation has been confirmed (no CISA KEV listing, no public POC), and the fix is available in the vendor-released patch 8.9.6.1.

Microsoft Buffer Overflow Information Disclosure Notepad Plus Plus
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.3%
CVE-2026-48778 HIGH POC PATCH This Week

Local code execution in Notepad++ before 8.9.6.1 occurs because the <GUIConfig name="commandLineInterpreter"> value in config.xml is loaded into _nppGUI._commandLineInterpreter with no validation, whitelist, or signature check, then passed directly to ShellExecute when a user invokes File → Open Containing Folder → cmd. An attacker who can plant or modify config.xml runs an arbitrary executable in the victim's session the next time they use this menu action. Publicly available exploit code exists (Exploit-DB 52606), but there is no public exploit identified as actively exploited; the issue is not in CISA KEV.

Command Injection Notepad Plus Plus
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.8
EPSS
1.4%
CVE-2026-52885 HIGH PATCH This Week

Local code execution in Notepad++ before 8.9.6.4 stems from a time-of-check/time-of-use race in NppCommands.cpp: the integrity HMAC of shortcuts.xml is verified against the on-disk file when a command fires, but the command payload is read from the _userCommands vector loaded at startup and never re-synced with disk. An attacker with write access to shortcuts.xml can plant a malicious version before launch and restore the legitimate file afterward, so the runtime HMAC check passes on the clean file while the malicious in-memory command executes. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; it is fixed in 8.9.6.4.

Information Disclosure Notepad Plus Plus
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.2%
CVE-2026-46710 HIGH PATCH This Week

Local privilege escalation in the Notepad++ Windows installer (versions 8.9.4 through 8.9.5) lets an unprivileged local attacker gain the elevated privileges of the installer by planting a malicious powershell.exe. Because the installer calls powershell.exe by name (not absolute path) after setting the working directory to the installation contextMenu folder, a privileged user who installs into an attacker-writable custom directory triggers execution of the attacker's binary. No public exploit has been identified at time of analysis; the issue is fixed in 8.9.6 and corresponds to CWE-426 (Untrusted Search Path).

Privilege Escalation Notepad Plus Plus
NVD GitHub
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-48800 HIGH PATCH This Week

Local OS command injection in Notepad++ before 8.9.6.1 lets an attacker who can write to a user's shortcuts.xml inject an arbitrary executable path into a <Command> entry under <UserDefinedCommands>, which feedUserCmds() loads into UserCommand._cmd with no validation and later passes straight to ShellExecute when the victim clicks the corresponding Run-menu item. Because the malicious entry renders as an ordinary Run-menu item, it doubles as a stealthy persistence mechanism that executes attacker-chosen binaries in the victim's user context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the fix is confirmed in release 8.9.6.1.

Command Injection Notepad Plus Plus
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.4%
CVE-2026-52884 HIGH This Week

Trusted-directory validation bypass in Notepad++ 8.9.6.1 lets a crafted executable path defeat the isInTrustedDirectory() check added by the prior CVE-2026-48800 fix, allowing arbitrary code execution via the Run command. Because the check uses a prefix match (PathIsPrefix-style) without canonicalizing the path first, a string beginning with a trusted directory but containing ..\..\ traversal resolves to an untrusted location yet still passes validation, causing ShellExecute() to launch an attacker-controlled binary. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; it requires local user interaction and is fixed in 8.9.6.2.

Path Traversal Notepad Plus Plus
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via a malformed WM_COPYDATA message. The COPYDATA_FULL_CMDLINE handler in NppBigSwitch.cpp dereferences COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* without validating against the COPYDATASTRUCT.cbData length field, enabling an out-of-bounds read that results in process termination. No active exploitation has been confirmed (no CISA KEV listing, no public POC), and the fix is available in the vendor-released patch 8.9.6.1.

Microsoft Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Local code execution in Notepad++ before 8.9.6.1 occurs because the <GUIConfig name="commandLineInterpreter"> value in config.xml is loaded into _nppGUI._commandLineInterpreter with no validation, whitelist, or signature check, then passed directly to ShellExecute when a user invokes File → Open Containing Folder → cmd. An attacker who can plant or modify config.xml runs an arbitrary executable in the victim's session the next time they use this menu action. Publicly available exploit code exists (Exploit-DB 52606), but there is no public exploit identified as actively exploited; the issue is not in CISA KEV.

Command Injection Notepad Plus Plus
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local code execution in Notepad++ before 8.9.6.4 stems from a time-of-check/time-of-use race in NppCommands.cpp: the integrity HMAC of shortcuts.xml is verified against the on-disk file when a command fires, but the command payload is read from the _userCommands vector loaded at startup and never re-synced with disk. An attacker with write access to shortcuts.xml can plant a malicious version before launch and restore the legitimate file afterward, so the runtime HMAC check passes on the clean file while the malicious in-memory command executes. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; it is fixed in 8.9.6.4.

Information Disclosure Notepad Plus Plus
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local privilege escalation in the Notepad++ Windows installer (versions 8.9.4 through 8.9.5) lets an unprivileged local attacker gain the elevated privileges of the installer by planting a malicious powershell.exe. Because the installer calls powershell.exe by name (not absolute path) after setting the working directory to the installation contextMenu folder, a privileged user who installs into an attacker-writable custom directory triggers execution of the attacker's binary. No public exploit has been identified at time of analysis; the issue is fixed in 8.9.6 and corresponds to CWE-426 (Untrusted Search Path).

Privilege Escalation Notepad Plus Plus
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local OS command injection in Notepad++ before 8.9.6.1 lets an attacker who can write to a user's shortcuts.xml inject an arbitrary executable path into a <Command> entry under <UserDefinedCommands>, which feedUserCmds() loads into UserCommand._cmd with no validation and later passes straight to ShellExecute when the victim clicks the corresponding Run-menu item. Because the malicious entry renders as an ordinary Run-menu item, it doubles as a stealthy persistence mechanism that executes attacker-chosen binaries in the victim's user context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the fix is confirmed in release 8.9.6.1.

Command Injection Notepad Plus Plus
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Trusted-directory validation bypass in Notepad++ 8.9.6.1 lets a crafted executable path defeat the isInTrustedDirectory() check added by the prior CVE-2026-48800 fix, allowing arbitrary code execution via the Run command. Because the check uses a prefix match (PathIsPrefix-style) without canonicalizing the path first, a string beginning with a trusted directory but containing ..\..\ traversal resolves to an untrusted location yet still passes validation, causing ShellExecute() to launch an attacker-controlled binary. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; it requires local user interaction and is fixed in 8.9.6.2.

Path Traversal Notepad Plus Plus
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy