T
Threats
Critical Notepad++ Vulnerabilities Allow Code Execution
Overview
CVE: CVE-2026-48778, CVE-2026-48800, CVE-2026-48770
Severity: Critical
Date: 1 June 2026
Notepad++ has released version v8.9.6.1 to address multiple security vulnerabilities affecting the Windows text editor. The most serious issues may allow arbitrary code execution through tampered Notepad++ configuration files.
The update includes fixes for two critical arbitrary code execution vulnerabilities and one high-severity crash vulnerability. Organisations should update affected systems immediately and confirm Notepad++ is installed from official sources only.
Affected Versions
Notepad++ v8.9.6 and earlier are reported as affected by the v8.9.6.1 vulnerability fixes.
Notepad++ v8.9.4 and v8.9.5 installers are also referenced in the vendor release notes for CVE-2026-46710.
Fixed version: Notepad++ v8.9.6.1.
Vulnerability Breakdown
CVE-2026-48778 - Arbitrary Code Execution via config.xml
Severity: Critical
CVSS: Not provided in the reviewed advisory material.
Description: Notepad++ is reported to read a command-line interpreter value from config.xml without sufficient validation. If an attacker can control or modify this configuration value, Notepad++ may execute an attacker-controlled executable when the affected feature is triggered.
Impact: Potential arbitrary code execution in the context of the affected user.
Conditions: An attacker must be able to influence the Notepad++ configuration file or direct the application to use a malicious settings directory. Reported exploitation paths include direct configuration file modification, malicious shortcut arguments, cloud sync poisoning, and social engineering via extracted archives.
Notes: Risk is higher where users operate shared, redirected, or cloud-synced configuration locations.
CVE-2026-48800 - Arbitrary Code Execution via shortcuts.xml
Severity: Critical
CVSS: Not provided in the reviewed advisory material.
Description: This issue follows a similar pattern to CVE-2026-48778 but affects Notepad++ shortcut configuration. A malicious shortcuts.xml file may allow execution of an unintended program.
Impact: Potential arbitrary code execution in the context of the affected user.
Conditions: An attacker must be able to modify or supply a malicious Notepad++ shortcut configuration file.
Notes: Organisations should treat unmanaged configuration directories as a higher-risk condition.
CVE-2026-48770 - Malformed COPYDATASTRUCT Crash
Severity: High
CVSS: Not provided in the reviewed advisory material.
Description: Notepad++ fixed an issue where a malformed COPYDATASTRUCT could cause the application to crash.
Impact: Potential denial of service through application crash.
Conditions: A malformed local message or crafted interaction is required to trigger the crash condition.
Notes: This issue is less severe than the arbitrary code execution vulnerabilities but should be remediated as part of the same update cycle.
Mitigation
Organisations should take the following actions:
Update Notepad++ to v8.9.6.1 immediately.
Download installers only from the official Notepad++ website or trusted software management channels.
Validate downloaded binaries using available GPG signatures or SHA-256 checksums where practical.
Review environments where Notepad++ configuration files are stored in shared, redirected, or cloud-synced locations.
Restrict unauthorised write access to Notepad++ configuration directories.
Monitor for unexpected modification of
config.xmlandshortcuts.xmlin user profile paths.Review endpoint controls for suspicious execution launched from user-writable directories.
Summary for IT Teams
Products: Notepad++ for Windows
Threat Level: Critical
Action Required: Update Notepad++ to v8.9.6.1 immediately. Prioritise users with shared or cloud-synced configuration directories and confirm installers are sourced from official channels.
Reference
Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code (Cyber Security News)
GitHub Security Advisory GHSA-3x3f-3j39-pj3v
Need Help?
If your organisation needs assistance assessing exposure, validating affected endpoints, or prioritising remediation, the Secure ISS SOC team can help.
Please contact Secure ISS on 1300 769 460 or email us for support.
