In short: Two Notepad++ vulnerabilities enable code execution through XML manipulation. They were patched in version 8.9.6.1. Attackers already need access to the user directory.
Two critical vulnerabilities in Notepad++ (CVE-2026-48778 and CVE-2026-48800) allow local attackers to execute arbitrary commands on Windows systems by manipulating the editor’s XML configuration files. Both vulnerabilities were rated “High” with a CVSS score of 7.8 and affect all versions up to and including 8.9.6 – but were fixed on the same day in version 8.9.6.1.
Both security vulnerabilities are based on a common design flaw: Notepad++ stores user settings such as the path to the command-line shell and custom commands in XML files in the user profile directory. The editor reads these values and executes them as commands without validating their contents. This allows anyone with write access to the XML files to execute arbitrary programs.
The more serious vulnerability CVE-2026-48800 targets the file with custom entries in the Run menu. Notepad++ reads from the “shortcuts.xml” file and accepts its contents without validation. An attacker can insert entries there that launch arbitrary executable files when clicked – with deceptively authentic names like “System Update”. This method enables persistent attacks because the injected commands remain in place even after restarts.
The second vulnerability CVE-2026-48778 affects the “config.xml” file, which stores the path to the command-line shell. An attacker can manipulate this path and start any executable file instead of the Windows Command Prompt.
A third flaw CVE-2026-48770 with a CVSS score of 5.0 causes the editor to crash when process messages are manipulated.
The vulnerabilities require pre-existing write access to the AppData directory or can be exploited through malware, manipulated shortcuts, or social engineering. Affected users should update to version 8.9.6.1, which is available from the project’s download page.
Source: www.csoonline.com