Notepad++ 8.9.7 Fixes Five Flaws, Including PowerShell Command Injection


Notepad++ 8.9.7 fixes five security vulnerabilities affecting its installer, updater, session files, macro validation, and environment-variable handling. The issues can cause command execution, file disclosure, plugin replacement, or application crashes under specific conditions.

One flaw allows PowerShell command injection when an attacker controls the Notepad++ installation directory on Windows 11. Another can replace an installed plugin DLL through a malicious archive, resulting in code execution when Notepad++ loads the modified plugin.

The official Notepad++ 8.9.7 release notes list three vulnerabilities with CVE identifiers and two additional security issues that do not yet have CVE numbers. Users running version 8.9.6.4 or earlier should review their exposure and upgrade.

Five Notepad++ Vulnerabilities Fixed

The vulnerabilities do not share one attack method. Each affects a different part of the Notepad++ application or installation process.

The most serious confirmed code-execution path involves the WinGUp updater’s plugin extraction function. The PowerShell installer flaw and macro-validation bypass also allow command execution, but both require more specific local conditions.

Notepad++ 8.9.7 contains fixes for the following issues:

IdentifierVulnerabilitySeverityPrimary impact
CVE-2026-54758Stack buffer overflowHighApplication crash and possible theoretical code execution
CVE-2026-52886session.xml path-validation bypassModerateReading user-accessible files outside the backup directory
CVE-2026-57233WinGUp Zip Slip vulnerabilityHighPlugin DLL replacement and code execution
Not assignedshortcuts.xml macro HMAC bypassModerateConditional command execution in an elevated process
Not assignedInstaller PowerShell command injectionModerateCommands run with the installer’s privileges

PowerShell Injection Requires Control of the Installation Path

The installer vulnerability affects the process used to register Notepad++ as a Windows 11 context-menu application. The installer builds a PowerShell command containing the selected installation directory.

If that directory contains PowerShell expression syntax, PowerShell can interpret part of the path as a command. The injected command then runs in the installer’s security context.

The PowerShell injection advisory rates the flaw as Moderate and lists several required conditions. It is not a remote vulnerability that attackers can trigger merely by sending someone a text file.

  • The attack targets Windows 11.
  • It affects x64 or ARM64 installers that register the MSIX context-menu package.
  • The context-menu component must be selected.
  • An attacker must control or influence the installation directory.
  • The command runs with the installer’s privileges.

A tampered installer package is not required to exploit the underlying input-handling problem. However, an attacker still needs a way to persuade a user, deployment script, or software-management process to use a specially constructed installation path.

WinGUp Zip Slip Flaw Can Replace Plugin Files

CVE-2026-57233 affects the archive-extraction routine in WinGUp, the updater included with Notepad++. The routine did not ensure that every extracted file remained inside the intended plugin directory.

A malicious plugin package could contain path-traversal sequences that direct WinGUp to write into a neighboring plugin folder. This could overwrite a legitimate plugin DLL with attacker-controlled code.

According to the CVE-2026-57233 advisory, Notepad++ would load the replaced DLL during a later launch. The code would run inside the Notepad++ process and could inherit elevated rights if the user started the editor as an administrator.

Attack stageRequired action
Package deliveryThe victim receives or installs a malicious plugin archive
Archive extractionWinGUp processes path-traversal entries
File replacementAn existing plugin DLL is overwritten
Code executionNotepad++ loads the replaced DLL during a later launch

Session File Flaw Can Expose Sensitive Files

CVE-2026-52886 concerns the way Notepad++ validates backup paths stored in session.xml. Earlier versions checked whether a path began with the expected backup-directory string but did not normalize the path first.

An attacker with permission to modify session.xml could add parent-directory references that passed the initial prefix check. Windows would then resolve the path to a file outside the approved backup folder.

The session.xml security advisory says the target file could appear in a Notepad++ editor tab when the program starts with snapshot mode enabled.

  • The attacker needs write access to session.xml.
  • Snapshot mode must be active.
  • Notepad++ must have permission to read the target file.
  • The flaw provides read-only access through the editor.
  • Portable installations may face greater exposure because configuration files can reside beside the application.

Potentially exposed data could include environment files, private keys, configuration files, logs, and other documents readable by the current Windows account. The vulnerability does not bypass Windows file permissions.

Macro Validation Bypass Affects Elevated Notepad++ Sessions

Notepad++ uses an HMAC validation mechanism to detect unauthorized changes to commands stored in shortcuts.xml. Researchers found that this protection covered user-defined commands but did not apply in the same way to macros.

An attacker-controlled macro could call internal Notepad++ actions without triggering the intended integrity check. Under certain conditions, this could modify protected files or launch an attacker-controlled command file.

The macro HMAC bypass advisory stresses that the flaw does not provide automatic privilege escalation. A low-privileged attacker must influence the settings directory used by an elevated Notepad++ process, and the macro path must execute.

Users can reduce this risk by avoiding routine use of Notepad++ with administrator privileges. Organizations should also prevent untrusted users from modifying the application’s configuration directories.

Buffer Overflow Mainly Causes a Notepad++ Crash

CVE-2026-54758 affects the expandNppEnvironmentStrs function. The function copied a Notepad++ variable name into a fixed-size stack buffer without properly checking its length.

A variable name of sufficient length could write beyond the buffer and corrupt nearby memory. The user would need to process the crafted value through Notepad++’s Run dialog.

The buffer overflow advisory lists the vulnerability as High. The demonstrated result is a controlled application crash because Microsoft’s stack-protection mechanism detects the corruption and terminates Notepad++.

Code execution may become theoretically possible if an attacker can bypass or avoid those protections. The published demonstration does not establish a reliable remote-code-execution chain.

Notepad++ 8.9.7 Also Adds Features and Bug Fixes

The update moves Notepad++ to Scintilla 5.6.4, Lexilla 5.5.1, and pugixml 1.16. It also improves search behavior, workspace handling, high-DPI scaling, and general stability.

Folder as Workspace can now remember expanded and collapsed folders between sessions. Incremental Search gains count and position information, along with performance improvements.

Other changes address symbolic-link freezes, disappearing workspace items, relative-path handling, plugin toolbar scaling, crashes, and user-interface problems.

  • Persistent Folder as Workspace expansion state
  • Improved Incremental Search counting
  • Full ANSI escape-sequence lexing
  • Updated PHP and CSS keywords
  • Improved high-DPI plugin icons
  • Better dark-mode message boxes
  • Several crash and regression fixes

How to Install the Notepad++ Security Update

Users can download version 8.9.7 from the official Notepad++ website. Downloads from third-party mirrors, advertisements, or unofficial software sites may expose users to modified installers.

The developers plan to trigger the automatic updater two weeks after release if no serious problems emerge. Users who need the security fixes immediately should install the update manually instead of waiting for the staged rollout.

Organizations should verify installed versions through software inventory tools and upgrade every system running Notepad++ 8.9.6.4 or earlier. Portable copies require attention because they may not use the normal updater.

  1. Check the installed version from the Notepad++ Help menu.
  2. Download version 8.9.7 from the official project website.
  3. Verify the installer’s digital signature before running it.
  4. Avoid unusual installation paths supplied by third parties.
  5. Review installed plugins and remove unknown additions.
  6. Do not run Notepad++ as an administrator unless required.
  7. Search for unmanaged portable copies on business endpoints.

The complete Notepad++ security update announcement confirms that version 8.9.7 contains all five fixes. No evidence currently shows that attackers have exploited these vulnerabilities in real-world attacks.

FAQ

Which Notepad++ version fixes the five vulnerabilities?

Notepad++ 8.9.7 fixes the installer, updater, session-file, macro-validation, and buffer-overflow vulnerabilities. Users running older versions should upgrade.

Can the Notepad++ PowerShell flaw be exploited remotely?

The published advisory does not describe a direct remote attack. An attacker must control or influence the installation directory on Windows 11 while the affected installer registers the context-menu component.

Which Notepad++ vulnerability can execute code through a plugin?

CVE-2026-57233 allows a malicious plugin archive to overwrite another plugin DLL through path traversal. The attacker-controlled DLL runs when Notepad++ later loads the affected plugin.

Does CVE-2026-54758 provide reliable code execution?

The demonstrated impact is a Notepad++ crash caused by stack-buffer corruption. Code execution remains theoretical because the published test triggers Microsoft stack protections that terminate the application.

What can CVE-2026-52886 expose?

An attacker who can modify session.xml may cause Notepad++ to open a user-readable file outside the backup directory. Possible targets include configuration files, private keys, environment files, and other documents accessible to the current account.

Will Notepad++ 8.9.7 install automatically?

The project plans to activate the automatic updater two weeks after release if no serious issues appear. Users and organizations seeking immediate protection can install version 8.9.7 manually.

Are attackers exploiting these Notepad++ vulnerabilities?

No active exploitation was reported in the official release notes or security advisories at publication time.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages