Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code
Two critical arbitrary code execution flaws in Notepad++ let attackers run malicious programs by injecting commands into configuration files, patched in version 8.9.6.1.
Notepad++, one of the most widely used open-source text editors for Windows, has released an urgent security update addressing three vulnerabilities, including two arbitrary code execution flaws that could allow attackers to silently run malicious programs on a victim's machine. The Notepad++ development team released version v8.9.6.1 on May 26, 2026, patching all three vulnerabilities. Users running v8.9.6 or earlier are urged to update immediately.
The most severe of the three is CVE-2026-48778, which targets the `<GUIConfig name="commandLineInterpreter">` tag inside Notepad++'s config.xml file. The editor reads this value through `NppXml::value()` in Parameters.cpp and stores it without any validation, whitelist, or digital signature check. When a user triggers File → Open Containing Folder → cmd, the application creates a command object using the attacker-controlled string and passes it directly to `ShellExecute()`, effectively executing whatever executable the attacker has planted. A simple proof-of-concept payload placing `calc.exe` in the XML tag causes Windows Calculator to launch instead of the intended command prompt, confirming full code execution capability.
Researchers identified several realistic paths an attacker could exploit CVE-2026-48778: direct config file write — any process running under the same user account can modify `%APPDATA%\Notepad++\config.xml`; malicious shortcut (.lnk) — using the `-settingsDir=` flag to redirect Notepad++ to an attacker-controlled settings directory; cloud sync poisoning — Notepad++ supports a user-configurable cloud path, which an attacker could poison through compromised cloud storage; and social engineering via archive extraction — tricking users into extracting malicious archives that drop a tampered config into AppData. CVE-2026-48800 follows a similar exploitation pattern but targets shortcuts.xml instead.
The second critical flaw, CVE-2026-48800, mirrors the same exploitation technique but targets the shortcuts.xml file. An attacker who can modify this file can inject arbitrary commands that execute when the user interacts with certain shortcut actions. Both vulnerabilities share a root cause: the application fails to sanitize or validate user-controlled configuration values before passing them to system shell functions.
All three vulnerabilities are patched in Notepad++ v8.9.6.1, available now on the official releases page. Security researchers additionally recommend that Notepad++ implement a whitelist of permitted command-line interpreters (such as cmd.exe, powershell.exe), validate executable paths against system directories, and introduce a user confirmation dialog before executing any shell command. Enterprise environments should prioritize patching, particularly where users operate shared or cloud-synced configuration directories.
The disclosure highlights a broader pattern of configuration-file injection vulnerabilities in popular desktop applications. As software increasingly relies on XML-based settings files for customization, attackers are finding new ways to weaponize these files for code execution. Notepad++'s widespread adoption — with millions of users worldwide — makes these flaws particularly dangerous, as even a single compromised configuration file can lead to full system compromise.