HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Arbitrary Code Execution (CVE‑2026‑48778) Discovered in Notepad++ 8.9.6 for Windows

A newly disclosed vulnerability in Notepad++ 8.9.6 allows attackers with write access to a user's AppData folder to execute arbitrary code when the editor’s ‘Open Containing Folder in cmd’ feature is used. Organizations should patch or remove the affected version to mitigate supply‑chain and insider‑threat risks.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
exploit-db.com

Arbitrary Code Execution Vulnerability (CVE‑2026‑48778) in Notepad++ 8.9.6 Affects Windows Users

What Happened — A newly disclosed vulnerability (CVE‑2026‑48778) allows an attacker with write access to a user’s %APPDATA%\Notepad++\config.xml to inject a malicious command line interpreter. When the “Open Containing Folder in cmd” feature is used, the injected executable runs under the current user’s context, enabling arbitrary code execution.

Why It Matters for TPRM

  • The flaw can be weaponized in supply‑chain or insider‑threat scenarios, compromising any organization that permits Notepad++ on employee workstations.
  • Exploits are already publicly available, raising the risk of opportunistic attacks.
  • Mitigation requires patching or configuration hardening across all affected endpoints.

Who Is Affected — All industries that allow the free‑text editor Notepad++ on Windows desktops (e.g., TECH_SAAS, FIN_SERV, GOV_PUBLIC, EDU_RESEARCH, etc.).

Recommended Actions

  • Verify that Notepad++ 8.9.6 or earlier is not installed on managed endpoints; upgrade to 8.9.7 or later.
  • Restrict write permissions to %APPDATA%\Notepad++\config.xml via endpoint hardening policies.
  • Monitor for anomalous process launches (e.g., calc.exe) following the “Open Containing Folder” action.

Technical Notes — The exploit leverages an unchecked <GUIConfig name="commandLineInterpreter"> element in config.xml. When the feature is triggered, Notepad++ calls ShellExecute with the attacker‑controlled value, executing the payload under the logged‑in user. No CVSS score is published yet, but the impact is Remote Code Execution at user level. Source: https://www.exploit-db.com/exploits/52606

📰 Original Source
https://www.exploit-db.com/exploits/52606

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →