CVE-2026-48800 notepad-plus-plus CVE debrief

Who should care

Users of Notepad++ version prior to 8.9.6.1 should be aware of this vulnerability and take steps to update to the latest version. Additionally, defenders and security teams should be aware of this vulnerability and monitor for potential exploitation attempts. This vulnerability may be of interest to attackers looking for ways to inject malicious commands on a user's system.

Technical summary

The vulnerability exists in the way Notepad++ handles user-defined commands in the shortcuts.xml file. The <Command> tag text content inside <UserDefinedCommands> is read by NppXml::value(aNode) and stored in UserCommand._cmd without any validation. When the user clicks on the corresponding entry in the Run menu, a Command object is created with string2wstring(ucmd.getCmd()) and calls run(), which invokes ShellExecute with the attacker-controlled string as the executable path. This allows an attacker to inject malicious commands, which can then be executed on the user's system.

Defensive priority

High priority should be given to updating Notepad++ to version 8.9.6.1 or later. Defenders should also monitor for potential exploitation attempts and implement additional security measures to prevent command injection attacks.

Recommended defensive actions

• Update Notepad++ to version 8.9.6.1 or later
• Monitor for potential exploitation attempts
• Implement additional security measures to prevent command injection attacks
• Review and update user-defined commands in shortcuts.xml
• Consider implementing compensating controls to prevent exploitation

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and severity. The source item URL provides additional information on the vulnerability, including references to the Notepad++ GitHub repository.

Official resources