CVE-2026-48778 Overview
CVE-2026-48778 is an arbitrary code execution vulnerability in Notepad++, a widely used free and open-source source code editor for Windows. Versions prior to 8.9.6.1 read the <GUIConfig name="commandLineInterpreter"> tag from config.xml without any validation, whitelist, or digital signature check. When a user triggers the File → Open Containing Folder → cmd menu item (IDM_FILE_OPEN_CMD), Notepad++ passes the attacker-controlled string directly to ShellExecute, causing execution of the specified binary. The issue is tracked as [CWE-78] and is fixed in version 8.9.6.1.
Critical Impact
An attacker who can write to a victim's Notepad++ config.xml achieves arbitrary code execution the next time the user opens a containing folder via the cmd menu action.
Affected Products
- Notepad++ versions prior to 8.9.6.1
- All Windows platforms where vulnerable Notepad++ builds are installed
- Installations where %APPDATA%\Notepad++\config.xml is writable by a lower-privileged process or user
Discovery Timeline
- 2026-06-26 - CVE-2026-48778 published to NVD
- 2026-06-29 - Last updated in NVD database
- Patch - Fix committed in Notepad++ commit 24c7b5c and released in version 8.9.6.1
- Advisory - Published as GHSA-7hm3-wp5q-ccv9
Technical Details for CVE-2026-48778
Vulnerability Analysis
Notepad++ persists the command line interpreter used for the Open Containing Folder → cmd action in its user-scoped config.xml file. The NppXml::value() function at Parameters.cpp:6430 parses the <GUIConfig name="commandLineInterpreter"> element and stores the raw string in _nppGUI._commandLineInterpreter. No allowlist, path canonicalization, or signature check is applied to the value. When the user selects the cmd menu entry, NppCommands.cpp:228 constructs a Command object with this string and invokes run(), which calls ShellExecute at RunDlg.cpp:221 with the attacker-controlled path as the executable.
Because ShellExecute will happily launch any binary the string resolves to, including UNC paths or attacker-dropped executables, this becomes reliable arbitrary code execution. The Exploit Prediction Scoring System (EPSS) currently rates the exploit likelihood at 1.314% (67.2 percentile), and a public proof of concept is available.
Root Cause
The root cause is missing input validation on a security-sensitive configuration value ([CWE-78] Improper Neutralization of Special Elements used in an OS Command). Notepad++ treats config.xml as trusted input, but the file resides in a user-writable location and is not integrity-protected. Any process able to modify that file can substitute an arbitrary executable path for the built-in cmd.exe value.
Attack Vector
Exploitation requires local write access to the victim's Notepad++ config.xml and user interaction to trigger the menu item. A typical attack chain drops a malicious config.xml into %APPDATA%\Notepad++\ (for example via a phishing archive, a first-stage loader, or an unrelated app running in the same user context), then waits for the user to use the Open Containing Folder → cmd feature. Because the payload runs under the user's token via ShellExecute, no elevation is required for initial code execution.
# Public PoC repository structure (atiilla/Notepad-8.9.6-PoC)
.
├── README.md
├── poc_CVE-2026-48770.py # OOB read crash (ctypes)
├── poc_CVE-2026-48778.py # RCE via config.xml
├── poc_CVE-2026-48800.py # RCE via shortcuts.xml
└── payloads/
├── config.xml # Drop-in payload (CVE-2026-48778)
├── shortcuts.xml # Drop-in payload (CVE-2026-48800)
└── poc_CVE-2026-48770.ps1 # OOB read crash (PowerShell)
Source: atiilla/Notepad-8.9.6-PoC
Detection Methods for CVE-2026-48778
Indicators of Compromise
- Modifications to %APPDATA%\Notepad++\config.xml where the <GUIConfig name="commandLineInterpreter"> element points to anything other than the expected cmd.exe path.
- notepad++.exe spawning child processes other than cmd.exe, explorer.exe, or powershell.exe immediately after user interaction with the File menu.
- Presence of unexpected UNC paths, script interpreters, or LOLBins in the commandLineInterpreter value.
Detection Strategies
- Hunt for process creation events where ParentImage is notepad++.exe and Image resolves to an unusual binary, script host, or path outside System32.
- File integrity monitoring on config.xml under each user's %APPDATA%\Notepad++\ directory, correlating writes to non-Notepad++ processes.
- Static scanning of config.xml files across the fleet for anomalous commandLineInterpreter values.
Monitoring Recommendations
- Enable Windows process creation auditing (Event ID 4688) with command line logging, or equivalent EDR telemetry, on hosts running Notepad++.
- Alert on any Notepad++ child process invoked via ShellExecute that is not on an approved allowlist.
- Correlate config.xml writes with subsequent Notepad++ launches to catch drop-then-trigger sequences.
How to Mitigate CVE-2026-48778
Immediate Actions Required
- Upgrade all Notepad++ installations to version 8.9.6.1 or later.
- Audit existing config.xml files across managed endpoints and reset any commandLineInterpreter value that does not resolve to the legitimate %SystemRoot%\System32\cmd.exe.
- Restrict write permissions on %APPDATA%\Notepad++\ where operationally feasible, and treat unexpected writes as suspicious.
Patch Information
The fix is applied in Notepad++ commit 24c7b5c63cece76dbc8c4f2607a27ebfe22fa614 and released in version 8.9.6.1. The patch, documented in GHSA-7hm3-wp5q-ccv9, also introduces a dedicated PowerShell menu entry (Item id="41027") and constrains how the interpreter value is consumed so attacker-controlled paths no longer flow into ShellExecute.
Workarounds
- Avoid using the File → Open Containing Folder → cmd menu action until the update is deployed.
- Deploy config.xml from a trusted, read-only source and enforce it via application control or group policy.
- Use application allowlisting (for example Windows Defender Application Control) to block notepad++.exe from launching unapproved child processes.
# Verify the installed Notepad++ version on Windows (PowerShell)
(Get-Item "C:\Program Files\Notepad++\notepad++.exe").VersionInfo.FileVersion
# Inspect the commandLineInterpreter value in the current user's config
Select-String -Path "$env:APPDATA\Notepad++\config.xml" -Pattern 'commandLineInterpreter'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

