PT-2026-44374 · Notepad++ · Notepad++
Daniel Cifuentes
+2
·
Published
2026-05-26
·
Updated
2026-06-29
·
CVE-2026-48770
CVSS v3.1
5.0
Medium
| Vector | AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Notepad++ versions prior to 8.9.6.1
Description
Multiple issues exist in the software, including a buffer over-read in the inter-process communication mechanism that can lead to a denial of service. Additionally, remote code execution is possible through configuration file injection because the application passes
commandLineInterpreter from 'config.xml' and UserDefinedCommands from 'shortcuts.xml' directly to the ShellExecute() function without validation.Recommendations
Update to version 8.9.6.1.
Exploit
Fix
DoS
RCE
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Notepad++