CVE-2026-46710 notepad-plus-plus CVE debrief

Who should care

Users of Notepad++ versions 8.9.4 through 8.9.6 should be aware of this vulnerability and take steps to mitigate it. System administrators and security teams should also be aware of this vulnerability and ensure that Notepad++ is updated to the latest version. Furthermore, users should be cautious when selecting installation directories and ensure that the directory is secure.

Technical summary

The vulnerability exists in the Notepad++ installer, which invokes powershell.exe without using an absolute path after setting the working directory to the installation contextMenu directory. This allows an attacker to pre-place a malicious powershell.exe in a user-writable custom installation directory. When a privileged user runs the installer and selects that directory, the attacker-controlled executable is launched with the elevated privileges of the installer. The vulnerability is due to the insecure way the installer handles the powershell.exe invocation. The vulnerability can be exploited by an attacker with local access to the system.

Defensive priority

High

Recommended defensive actions

• Update Notepad++ to version 8.9.6 or later
• Be cautious when selecting installation directories and ensure that the directory is secure
• Monitor system logs for suspicious activity
• Implement additional security controls to prevent local privilege escalation
• Conduct regular vulnerability assessments and penetration testing

Evidence notes

The vulnerability was reported by an unknown source and is tracked by CVE-2026-46710. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The vulnerability affects Notepad++ versions 8.9.4 through 8.9.6.

Official resources