Arbitrary Code Execution Vulnerability (CVE‑2026‑48778) in Notepad++ 8.9.6 Affects Windows Users
What Happened — A newly disclosed vulnerability (CVE‑2026‑48778) allows an attacker with write access to a user’s %APPDATA%\Notepad++\config.xml to inject a malicious command line interpreter. When the “Open Containing Folder in cmd” feature is used, the injected executable runs under the current user’s context, enabling arbitrary code execution.
Why It Matters for TPRM —
- The flaw can be weaponized in supply‑chain or insider‑threat scenarios, compromising any organization that permits Notepad++ on employee workstations.
- Exploits are already publicly available, raising the risk of opportunistic attacks.
- Mitigation requires patching or configuration hardening across all affected endpoints.
Who Is Affected — All industries that allow the free‑text editor Notepad++ on Windows desktops (e.g., TECH_SAAS, FIN_SERV, GOV_PUBLIC, EDU_RESEARCH, etc.).
Recommended Actions —
- Verify that Notepad++ 8.9.6 or earlier is not installed on managed endpoints; upgrade to 8.9.7 or later.
- Restrict write permissions to
%APPDATA%\Notepad++\config.xmlvia endpoint hardening policies. - Monitor for anomalous process launches (e.g., calc.exe) following the “Open Containing Folder” action.
Technical Notes — The exploit leverages an unchecked <GUIConfig name="commandLineInterpreter"> element in config.xml. When the feature is triggered, Notepad++ calls ShellExecute with the attacker‑controlled value, executing the payload under the logged‑in user. No CVSS score is published yet, but the impact is Remote Code Execution at user level. Source: https://www.exploit-db.com/exploits/52606