Secure Cyber Vulnerability Management

30/05/2026
Qualys-Threat-Protect

Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code (CVE-2026-48778)

by Deepanshu Jha

Notepad++ released a security advisory addressing three vulnerabilities, including two arbitrary code execution flaws, that could allow attackers to silently run malicious code on a victim’s machine. The most critical vulnerability among the three is CVE-2026-48778, which can lead to an arbitrary code execution issue via config.xml files.

Notepad++ is a free, open-source text and source code editor for Microsoft Windows. Notepad++ holds approximately 1.7%–1.85% market share in the IDEs and Text Editors category, ranking around #9 globally among competing tools. Notepad++ is especially popular for lightweight editing, scripting, log analysis, and quick code modifications rather than full-scale IDE workflows.

CVE-2026-48778

The vulnerability exists in the <GUIConfig name= “commandLineInterpreter”> tag inside Notepad++’s config.xml file. The tag is read by NppXml::value() and stored in _nppGUI._commandLineInterpreter without any validation. When the user triggers File → Open Containing Folder → cmd, the application creates a Command object with this value and calls run(), which invokes ShellExecute with the attacker-controlled string as the executable path.

A simple proof-of-concept payload placing calc.exe in the XML tag causes Windows Calculator to launch instead of the intended command prompt, confirming full code execution capability.

CVE-2026-48770

Notepad has given this a high severity rating. The advisory described this as a crash caused by any malformed structure.

CVE-2026-48800

This has been given a critical severity rating. An attacker may exploit the vulnerability by using shortcuts.xml files. Successful exploitation of the vulnerability may allow an attacker to achieve arbitrary code execution.

Affected Versions

The vulnerabilities affect Notepad++ versions before v8.9.6.1.

Mitigation

Users must upgrade to Notepad++ version v8.9.6.1 to patch the vulnerabilities.

Please refer to the Notepad Security Advisory for more information.

Qualys Detection

Qualys customers can scan their devices with QID 387514 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://notepad-plus-plus.org/news/v8961-released/

Comments are closed.

You may also like