{"id":13206,"date":"2026-05-28T10:03:42","date_gmt":"2026-05-28T10:03:42","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/28\/critical-notepad-vulnerabilities-allow-attackers-to-execute-arbitrary-code\/"},"modified":"2026-05-28T10:03:42","modified_gmt":"2026-05-28T10:03:42","slug":"critical-notepad-vulnerabilities-allow-attackers-to-execute-arbitrary-code","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/28\/critical-notepad-vulnerabilities-allow-attackers-to-execute-arbitrary-code\/","title":{"rendered":"Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code"},"content":{"rendered":"

Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Notepad++, one of the most widely used open-source text editors for Windows, has released an urgent security update addressing three vulnerabilities, including two arbitrary code execution<\/a> flaws that could allow attackers to silently run malicious programs on a victim\u2019s machine.<\/p>\n

The Notepad++ development team released version v8.9.6.1 on May 26, 2026, patching all three vulnerabilities. Users running v8.9.6 or earlier are urged to update immediately.<\/p>\n

Notepad++ Vulnerabilities<\/strong><\/h2>\n

The update resolves the following vulnerabilities:<\/p>\n

\n\n\n\n\n\n\n\n
CVE ID<\/th>\nSeverity<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
CVE-2026-48770<\/td>\nHigh<\/td>\nCrash via malformed XML structure<\/td>\n<\/tr>\n
CVE-2026-48778<\/td>\nCritical<\/td>\nArbitrary code execution via config.xml<\/td>\n<\/tr>\n
CVE-2026-48800<\/td>\nCritical<\/td>\nArbitrary code execution via shortcuts.xml<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The most severe of the three is CVE-2026-48778, which targets the <GUIConfig name=\"commandLineInterpreter\"><\/code> tag inside Notepad++\u2019s config.xml<\/code> file.<\/p>\n

The editor reads this value through NppXml::value()<\/code> in Parameters.cpp<\/code> and stores it without any validation, whitelist, or digital signature check.<\/p>\n

When a user triggers File \u2192 Open Containing Folder \u2192 cmd, the application creates a command object using the attacker-controlled string and passes it directly to ShellExecute()<\/code> effectively executing whatever executable the attacker has planted.<\/p>\n

A simple proof-of-concept payload placing calc.exe<\/code> in the XML tag causes Windows Calculator to launch instead of the intended command prompt, confirming full code execution capability.<\/p>\n

Researchers identified several realistic paths<\/a> an attacker could exploit CVE-2026-48778:<\/p>\n