Skip to content

Notepad++: Update Closes Vulnerability in Installer

(Image: Dirk Knoch / heise medien). An update for Notepad++ closes a security vulnerability in the installer. An official CVE entry with risk assessment is still missing. Notepad++ closes a security vulnerability in the installer in the new version 8.9.6. The risk assessment is not yet conclusive; a listed CVE entry has not yet been published. In the version announcement, Notepad++ developer Don Ho [1] writes that the vulnerability affects Notepad++ versions 8.9.4 and 8.9.5, though some installer-related regressions were already fixed [2] in the latter version. This is the vulnerability with CVE entry CVE-2026-46710 [3], which has not yet been published so far. CERT-Bund from the Federal Office for Information Security (BSI) assesses [4] that the severity reaches CVSS 7.3, thus classified as a “high” risk. According to old programmer doctrine, the code is currently the documentation. In the associated commit for the vulnerability, Ho writes that the file path is now obtained from the Registry instead of being hardcoded. This relates to the invocation of “powershell”, which was previously called without any path. This at least suggests the suspicion that an attacker could have placed a malicious file named “powershell.exe” in the Windows search path, which would then be executed when the installation or an update starts. Apply update manually. The updated version can be found on the Notepad++ download webpage [5]. At the time of reporting, the internal update mechanism indicates that there is no generally available update after v8.9.5. Calling “winget upgrade –all” at the Windows command prompt also does not yet bring the updated version of the powerful text tool to the drive. Anyone who wants to protect themselves now must take matters into their own hands and download and install the update manually. At the end of last year, a security vulnerability in Notepad++’s update mechanism [6] was exploited by state actors. They used it to place malware on victims’ computers. See also: Notepad++ [7]: Download fast and secure from heise.de. (dmk [9]). URL of this article: https://www.heise.de/-11303525. Links in this article: https://notepad-plus-plus.org/news/v896-released/ https://community.notepad-plus-plus.org/topic/27540/notepad-release-8.9.6 https://nvd.nist.gov/vuln/detail/CVE-2026-46710 https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1614 https://notepad-plus-plus.org/downloads/v8.9.6/ https://www.heise.de/news/Notepad-Updater-Uebernahme-durch-staatliche-Akteure-11162101.html https://www.heise.de/download/product/notepad-26659?wt_mc=intern.red.download.tickermeldung.ho.link.link https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp mailto:dmk@heise.de Copyright © 2026 Heise Medien

heise security News

Share on: