Notepad++: Gaps allow injection of malware and commands

Another update is available for Notepad++. It closes three security vulnerabilities, two of which are classified as high-risk and allow attackers to smuggle in and execute commands or even malicious code.

In the release announcement for Notepad++ v8.9.6.1, developer Don Ho writes that the new version fixes the three vulnerabilities. In the configuration file “config.xml,” there is no restriction for the parameter “commandLineInterpreter,” so attackers with user privileges can adjust the entry or use a malicious .lnk file to start their files. To start this file, victims must select “File” – “Open Containing Folder” and then “Command Prompt (cmd)”. The solution involves restricting allowed entries to cmd.exe, powershell.exe, or bash.exe, performing a path check, and asking users for confirmation (CVE-2026-48778, CVSS 7.8, Risk “high”).

A similar vulnerability is opened by the “<Command>” tag within “<UserDefinedCommands>” in the “shortcuts.xml” file. This executes whatever is entered there after clicking the corresponding entry in the “Execute” menu of Notepad++. Here, user confirmation before execution should also help, or a warning if new entries appear that were not created via the program GUI (CVE-2026-48800, CVSS 7.8, Risk “high”). The third vulnerability allows local processes to send “WM_COPYDATA” messages to Notepad++; with prepared requests, this can cause Notepad++ to crash; a denial-of-service is possible (CVE-2026-48770, CVSS 5.0, Risk “medium”).