PT-2026-52973 · Notepad++ · Notepad++
Published
2026-06-26
·
Updated
2026-06-27
·
CVE-2026-52885
CVSS v4.0
7.5
High
| Vector | AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Notepad++ versions prior to 8.9.6.4
Description
A Time-of-Check to Time-of-Use (TOCTOU) flaw exists in
NppCommands.cpp. The application validates the HMAC of the shortcuts.xml file on disk when a user command is triggered, but it executes the command payload from the userCommands vector stored in memory, which is populated during startup and not re-synchronized. An attacker with write access to shortcuts.xml can replace the file with a malicious version before the application starts and then restore the original file. This allows the HMAC check to pass against the legitimate file while the malicious payload is executed from memory.Recommendations
Update to version 8.9.6.4.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Notepad++