Notepad++ Fixes Code Execution Flaws in Config and Shortcut Files

Notepad++ has released version 8.9.6.1 to fix three security vulnerabilities, including two High-severity command execution flaws tied to user configuration files. The update is available now, and users running Notepad++ 8.9.6 or earlier should upgrade.

The official Notepad++ 8.9.6.1 release page lists fixes for arbitrary code execution through config.xml and shortcuts.xml, along with a crash issue involving malformed WM_COPYDATA input. The two command execution flaws are tracked as CVE-2026-48778 and CVE-2026-48800.

The vulnerabilities do not appear to be classic remote code execution bugs where simply opening a text file runs malware. They are still serious because attackers who can tamper with Notepad++ settings, redirect the settings directory, poison cloud-synced configuration, or trick users into using a malicious configuration can influence what the editor executes.

What Notepad++ Patched

CVE	Severity	CVSS Score	Issue	Fixed Version
CVE-2026-48778	High	7.8	Command execution through config.xml commandLineInterpreter	8.9.6.1
CVE-2026-48800	High	7.8	Command execution through shortcuts.xml user commands	8.9.6.1
CVE-2026-48770	Moderate	5.0	Local denial-of-service crash through malformed WM_COPYDATA input	8.9.6.1

The most important fixes involve XML configuration files that Notepad++ uses to store settings and user-defined commands. If those files are modified by an attacker, Notepad++ can later launch an attacker-controlled executable when the user triggers a related menu action.

This makes the issue more relevant in environments with shared machines, cloud-synced settings, unsafe archive extraction habits, or users who run software from attacker-controlled shortcuts.

How CVE-2026-48778 Works

CVE-2026-48778 affects the commandLineInterpreter setting inside config.xml. According to the GitHub advisory for CVE-2026-48778, Notepad++ reads the value from the GUIConfig tag and stores it without validation, allowlist checks, or integrity protection.

When a user selects File, Open Containing Folder, and cmd, Notepad++ can pass that stored value to ShellExecute as the executable path. If the configuration has been altered, the user may launch a malicious program instead of the expected command prompt.

The advisory lists several possible attack paths. These include direct writes to the user’s Notepad++ config.xml file, a malicious .lnk shortcut that points Notepad++ to an attacker-controlled settings directory, cloud sync poisoning, and social engineering through archive extraction.

How CVE-2026-48800 Works

CVE-2026-48800 follows a similar pattern but targets shortcuts.xml. The GitHub advisory for CVE-2026-48800 says Notepad++ reads Command tag content inside UserDefinedCommands and stores it without validation.

The attack becomes dangerous when the user opens the corresponding item in the Run menu. A malicious command can appear with a normal-looking name, such as a fake system update check, and then execute the attacker-controlled path.

This can also create a persistence risk. If an attacker briefly gains access to the user’s configuration file, the malicious Run menu entry can remain in place and wait for the user to click it later.

Why These Bugs Matter

Notepad++ is widely used by developers, administrators, analysts, students, and office users. Many people keep it installed for years and use it to open scripts, logs, configuration files, and copied commands.

The risk increases because the vulnerable files live in the user’s configuration area. Malware running under the same account, a poisoned settings directory, or a tricked user action may all create a path to later execution through trusted Notepad++ workflows.

The official Notepad++ download page marks version 8.9.6.1 as the patched release for these fixes. Users should download updates only from the official Notepad++ website or their trusted enterprise software management system.

The Third Issue Is a Local Crash Bug

CVE-2026-48770 is different from the two command execution flaws. It involves malformed WM_COPYDATA input and can crash Notepad++ from another local process in the same interactive Windows session.

The GitHub advisory for CVE-2026-48770 says a local process can send malformed COPYDATA_FULL_CMDLINE data to Notepad++ and trigger a reliable local denial-of-service condition. The advisory rates the issue Moderate with a CVSS score of 5.0.

Although this bug does not carry the same impact as arbitrary command execution, it still matters for stability. A local attacker or malicious process could use it to repeatedly crash the editor and disrupt work.

Attack Paths Administrators Should Understand

Attack Path	How It Could Be Used	Main Risk
Direct configuration write	A process running as the same user modifies config.xml or shortcuts.xml.	Notepad++ later executes an attacker-controlled command.
Malicious shortcut	A .lnk file starts Notepad++ with -settingsDir pointing to attacker-controlled settings.	The editor loads hostile configuration files.
Cloud sync poisoning	An attacker tampers with synced Notepad++ settings.	The malicious config follows the user across devices.
Archive extraction trick	A user extracts files into a sensitive configuration path.	A poisoned XML file replaces or influences trusted settings.
Local IPC abuse	A local process sends malformed WM_COPYDATA input.	Notepad++ crashes in the user session.

What Users Should Do Now

• Update Notepad++ to version 8.9.6.1 or later.
• Download updates only from the official Notepad++ website or trusted internal tools.
• Be careful with .lnk files that launch Notepad++ from unknown locations.
• Avoid extracting archives directly into AppData or Notepad++ configuration folders.
• Review unusual entries in the Notepad++ Run menu.
• Check whether Notepad++ cloud-synced settings come from a trusted account and path.

Users should also treat unexpected Notepad++ behavior as suspicious. A new Run menu item, a changed command prompt action, or settings that reappear through cloud sync may point to configuration tampering.

For most users, the fastest and most practical mitigation is to install the patched build and avoid loading Notepad++ from attacker-supplied shortcuts or settings directories.

What Enterprises Should Check

Enterprise teams should push the update through software deployment tools and confirm that older versions are removed. Developer and administrator workstations deserve special attention because those users often work with scripts, privileged tools, and cloud-synced settings.

Security teams should also review whether Notepad++ settings directories are writable only by the intended user and whether cloud sync introduces risk. Shared configuration paths should be avoided unless they are tightly controlled.

The CVE-2026-48778 advisory recommends allowlisting permitted interpreters, validating executable paths against trusted system directories, and adding confirmation before command execution. These are useful hardening ideas for future versions and enterprise monitoring.

Detection Ideas for Security Teams

• Monitor unexpected changes to %APPDATA%\Notepad++\config.xml.
• Monitor unexpected changes to %APPDATA%\Notepad++\shortcuts.xml.
• Flag Notepad++ launches that use the -settingsDir argument from unusual paths.
• Look for Notepad++ spawning unexpected executables after Run menu activity.
• Watch for config files restored or modified through cloud sync clients.
• Investigate repeated Notepad++ crashes linked to local process activity.

The CVE-2026-48800 advisory also recommends warning users when new Run menu commands appear that were not added through the graphical interface. That type of alert could help detect persistence through shortcuts.xml tampering.

Organizations that use application control can also restrict what programs Notepad++ is allowed to launch. This may reduce the impact of future configuration-based command execution bugs.

Why the Update Should Not Wait

The vulnerabilities require certain conditions, but they affect a popular Windows editor used in sensitive environments. Attackers often look for trusted desktop tools that can help them blend malicious execution into normal user activity.

Notepad++ 8.9.6.1 fixes the known issues, so delaying the update leaves users exposed to publicly documented attack paths. Public advisories also make it easier for attackers to understand where to look in older versions.

The CVE-2026-48770 advisory shows that even the lower-severity issue can cause a reliable local crash. Combined with the two High-severity command execution issues, the update deserves priority on managed Windows systems.

FAQ