Threat Advisory

Notepad++ Vulnerability Enables Arbitrary Code Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Notepad++, a popular open‑source text editor for Windows, affecting versions up to and including 8.9.6. The flaws comprise a denial‑of‑service crash via malformed XML, and two arbitrary code execution weaknesses that arise from unvalidated values in config.xml and shortcuts.xml. An attacker who can write to a user’s AppData configuration files or influence cloud‑synced settings can cause the application to execute malicious commands without user interaction. Exploitation could lead to silent deployment of ransomware, data exfiltration, or lateral movement across the network, representing a severe operational and reputational risk for enterprises.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Notepad++, a popular open‑source text editor for Windows, affecting versions up to and including 8.9.6. The flaws comprise a denial‑of‑service crash via malformed XML, and two arbitrary code execution weaknesses that arise from unvalidated values in config.xml and shortcuts.xml. An attacker who can write to a user’s AppData configuration files or influence cloud‑synced settings can cause the application to execute malicious commands without user interaction. Exploitation could lead to silent deployment of ransomware, data exfiltration, or lateral movement across the network, representing a severe operational and reputational risk for enterprises.[emaillocker id="1283"]

  • CVE-2026-48770 – A malformed XML structure can cause Notepad++ to crash, enabling a denial‑of‑service condition; exploitation requires an attacker to supply a crafted XML file to the application’s parsing routine, which can be achieved by placing the file in the user’s configuration directory.
  • CVE-2026-48778 – This vulnerability allows arbitrary code execution by inserting a malicious command interpreter path into the tag of config.xml; an attacker needs write access to %APPDATA%\Notepad++\config.xml or the ability to redirect the settings directory, after which the malicious command is executed via ShellExecute without user consent.
  • CVE-2026-48800 – Similar to CVE-2026-48778, this flaw enables execution of arbitrary commands through a tampered shortcuts.xml file; exploitation requires the attacker to modify the shortcuts configuration, which can be done by any process with access to the user’s Notepad++ settings folder.

The combined risk from these vulnerabilities is high, as they permit unauthenticated attackers to run malicious code on any compromised workstation, potentially leading to data loss, credential theft, and widespread infection. Immediate attention is required because exploitation does not depend on privileged access and can be triggered through routine user actions such as opening files or syncing settings. Failure to address these issues could result in significant operational disruption and damage to corporate reputation.

RECOMMENDATION:

  • We recommend you to update Notepad++ to version v8.9.6.1.

REFERENCES:

The following reports contain further technical details:
https://cybersecuritynews.com/critical-notepad-vulnerabilities/

[/emaillocker]
crossmenu