Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48778

CVE-2026-48778: Notepad++ RCE Vulnerability

CVE-2026-48778 is a remote code execution vulnerability in Notepad++ allowing attackers to execute arbitrary code via malicious config.xml manipulation. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-48778 Overview

CVE-2026-48778 is an arbitrary code execution vulnerability in Notepad++, a widely used free and open-source source code editor for Windows. Versions prior to 8.9.6.1 read the <GUIConfig name="commandLineInterpreter"> tag from config.xml without any validation, whitelist, or digital signature check. When a user triggers the File → Open Containing Folder → cmd menu item (IDM_FILE_OPEN_CMD), Notepad++ passes the attacker-controlled string directly to ShellExecute, causing execution of the specified binary. The issue is tracked as [CWE-78] and is fixed in version 8.9.6.1.

Critical Impact

An attacker who can write to a victim's Notepad++ config.xml achieves arbitrary code execution the next time the user opens a containing folder via the cmd menu action.

Affected Products

  • Notepad++ versions prior to 8.9.6.1
  • All Windows platforms where vulnerable Notepad++ builds are installed
  • Installations where %APPDATA%\Notepad++\config.xml is writable by a lower-privileged process or user

Discovery Timeline

  • 2026-06-26 - CVE-2026-48778 published to NVD
  • 2026-06-29 - Last updated in NVD database
  • Patch - Fix committed in Notepad++ commit 24c7b5c and released in version 8.9.6.1
  • Advisory - Published as GHSA-7hm3-wp5q-ccv9

Technical Details for CVE-2026-48778

Vulnerability Analysis

Notepad++ persists the command line interpreter used for the Open Containing Folder → cmd action in its user-scoped config.xml file. The NppXml::value() function at Parameters.cpp:6430 parses the <GUIConfig name="commandLineInterpreter"> element and stores the raw string in _nppGUI._commandLineInterpreter. No allowlist, path canonicalization, or signature check is applied to the value. When the user selects the cmd menu entry, NppCommands.cpp:228 constructs a Command object with this string and invokes run(), which calls ShellExecute at RunDlg.cpp:221 with the attacker-controlled path as the executable.

Because ShellExecute will happily launch any binary the string resolves to, including UNC paths or attacker-dropped executables, this becomes reliable arbitrary code execution. The Exploit Prediction Scoring System (EPSS) currently rates the exploit likelihood at 1.314% (67.2 percentile), and a public proof of concept is available.

Root Cause

The root cause is missing input validation on a security-sensitive configuration value ([CWE-78] Improper Neutralization of Special Elements used in an OS Command). Notepad++ treats config.xml as trusted input, but the file resides in a user-writable location and is not integrity-protected. Any process able to modify that file can substitute an arbitrary executable path for the built-in cmd.exe value.

Attack Vector

Exploitation requires local write access to the victim's Notepad++ config.xml and user interaction to trigger the menu item. A typical attack chain drops a malicious config.xml into %APPDATA%\Notepad++\ (for example via a phishing archive, a first-stage loader, or an unrelated app running in the same user context), then waits for the user to use the Open Containing Folder → cmd feature. Because the payload runs under the user's token via ShellExecute, no elevation is required for initial code execution.

text
# Public PoC repository structure (atiilla/Notepad-8.9.6-PoC)
.
├── README.md
├── poc_CVE-2026-48770.py                    # OOB read crash (ctypes)
├── poc_CVE-2026-48778.py                    # RCE via config.xml
├── poc_CVE-2026-48800.py                    # RCE via shortcuts.xml
└── payloads/
    ├── config.xml                           # Drop-in payload (CVE-2026-48778)
    ├── shortcuts.xml                        # Drop-in payload (CVE-2026-48800)
    └── poc_CVE-2026-48770.ps1               # OOB read crash (PowerShell)

Source: atiilla/Notepad-8.9.6-PoC

Detection Methods for CVE-2026-48778

Indicators of Compromise

  • Modifications to %APPDATA%\Notepad++\config.xml where the <GUIConfig name="commandLineInterpreter"> element points to anything other than the expected cmd.exe path.
  • notepad++.exe spawning child processes other than cmd.exe, explorer.exe, or powershell.exe immediately after user interaction with the File menu.
  • Presence of unexpected UNC paths, script interpreters, or LOLBins in the commandLineInterpreter value.

Detection Strategies

  • Hunt for process creation events where ParentImage is notepad++.exe and Image resolves to an unusual binary, script host, or path outside System32.
  • File integrity monitoring on config.xml under each user's %APPDATA%\Notepad++\ directory, correlating writes to non-Notepad++ processes.
  • Static scanning of config.xml files across the fleet for anomalous commandLineInterpreter values.

Monitoring Recommendations

  • Enable Windows process creation auditing (Event ID 4688) with command line logging, or equivalent EDR telemetry, on hosts running Notepad++.
  • Alert on any Notepad++ child process invoked via ShellExecute that is not on an approved allowlist.
  • Correlate config.xml writes with subsequent Notepad++ launches to catch drop-then-trigger sequences.

How to Mitigate CVE-2026-48778

Immediate Actions Required

  • Upgrade all Notepad++ installations to version 8.9.6.1 or later.
  • Audit existing config.xml files across managed endpoints and reset any commandLineInterpreter value that does not resolve to the legitimate %SystemRoot%\System32\cmd.exe.
  • Restrict write permissions on %APPDATA%\Notepad++\ where operationally feasible, and treat unexpected writes as suspicious.

Patch Information

The fix is applied in Notepad++ commit 24c7b5c63cece76dbc8c4f2607a27ebfe22fa614 and released in version 8.9.6.1. The patch, documented in GHSA-7hm3-wp5q-ccv9, also introduces a dedicated PowerShell menu entry (Item id="41027") and constrains how the interpreter value is consumed so attacker-controlled paths no longer flow into ShellExecute.

Workarounds

  • Avoid using the File → Open Containing Folder → cmd menu action until the update is deployed.
  • Deploy config.xml from a trusted, read-only source and enforce it via application control or group policy.
  • Use application allowlisting (for example Windows Defender Application Control) to block notepad++.exe from launching unapproved child processes.
bash
# Verify the installed Notepad++ version on Windows (PowerShell)
(Get-Item "C:\Program Files\Notepad++\notepad++.exe").VersionInfo.FileVersion

# Inspect the commandLineInterpreter value in the current user's config
Select-String -Path "$env:APPDATA\Notepad++\config.xml" -Pattern 'commandLineInterpreter'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.