Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48800

CVE-2026-48800: Notepad++ RCE Vulnerability

CVE-2026-48800 is a remote code execution flaw in Notepad++ that allows attackers to execute arbitrary commands via malicious shortcuts.xml entries. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-48800 Overview

CVE-2026-48800 is a command injection vulnerability in Notepad++, a widely used free and open-source source code editor for Windows. Versions prior to 8.9.6.1 fail to validate the <Command> tag content inside <UserDefinedCommands> in shortcuts.xml. An attacker who can write to this configuration file can inject an arbitrary executable path that Notepad++ launches when the user selects the corresponding Run menu entry. The injected command appears as a normal menu item, providing a stealthy persistence mechanism on the victim's system. The issue is tracked under [CWE-78] and is fixed in version 8.9.6.1.

Critical Impact

Attackers with local file write access can achieve arbitrary code execution and persistence through malicious Run menu entries invoked via ShellExecute.

Affected Products

  • Notepad++ versions prior to 8.9.6.1
  • Windows installations of Notepad++ using shortcuts.xml configuration
  • All user profiles where Notepad++ reads user-defined commands from disk

Discovery Timeline

  • 2026-06-26 - CVE-2026-48800 published to NVD
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-48800

Vulnerability Analysis

The vulnerability is a command injection flaw in the handling of user-defined commands loaded from shortcuts.xml. Notepad++ reads the <Command> tag text content inside <UserDefinedCommands> using NppXml::value(aNode) at Parameters.cpp:3658 within the feedUserCmds() function. The parsed string is stored directly in UserCommand._cmd without sanitization or validation.

When the user selects the corresponding entry in the Run menu, NppCommands.cpp:4264 constructs a Command object via string2wstring(ucmd.getCmd()) and calls run(). This chain terminates in a ShellExecute call at RunDlg.cpp:221, which executes the attacker-controlled string as the target executable path.

Root Cause

The root cause is missing input validation on external XML configuration data before passing it to a Windows shell execution API. Notepad++ treats the contents of shortcuts.xml as trusted, but this file resides in a user-writable location. Any process capable of writing to the user's configuration directory can inject arbitrary commands that later execute in the context of the Notepad++ user.

Attack Vector

Exploitation requires local file write access to the victim's Notepad++ configuration directory and one user interaction (clicking the malicious Run menu entry). A public proof of concept is available in the atiilla/Notepad-8.9.6-PoC repository, which drops a crafted shortcuts.xml payload.

text
.
├── README.md
├── poc_CVE-2026-48770.py                    # OOB read crash (ctypes)
├── poc_CVE-2026-48778.py                    # RCE via config.xml
├── poc_CVE-2026-48800.py                    # RCE via shortcuts.xml
└── payloads/
    ├── config.xml                           # Drop-in payload (CVE-2026-48778)
    ├── shortcuts.xml                        # Drop-in payload (CVE-2026-48800)
    └── poc_CVE-2026-48770.ps1               # OOB read crash (PowerShell)

Source: atiilla/Notepad-8.9.6-PoC

Detection Methods for CVE-2026-48800

Indicators of Compromise

  • Modifications to shortcuts.xml in the Notepad++ configuration directory from processes other than notepad++.exe
  • Unexpected <UserDefinedCommands> entries referencing executables, scripts, or LOLBins such as cmd.exe, powershell.exe, mshta.exe, or rundll32.exe
  • notepad++.exe spawning child processes that do not correspond to legitimate developer workflows

Detection Strategies

  • Monitor process creation events where the parent process is notepad++.exe and the child is a shell or scripting interpreter
  • Baseline the contents of shortcuts.xml in user profiles and alert on unauthorized changes
  • Correlate file writes to %APPDATA%\Notepad++\shortcuts.xml with subsequent execution of unusual binaries

Monitoring Recommendations

  • Enable command-line auditing on Windows endpoints to capture arguments passed via ShellExecute chains
  • Track version information for deployed Notepad++ installations to identify hosts still running versions below 8.9.6.1
  • Review Sysmon Event ID 1 (Process Create) and Event ID 11 (FileCreate) for suspicious activity involving Notepad++ configuration files

How to Mitigate CVE-2026-48800

Immediate Actions Required

  • Upgrade all Notepad++ installations to version 8.9.6.1 or later
  • Audit existing shortcuts.xml files across user profiles for unexpected <UserDefinedCommands> entries and remove any unrecognized commands
  • Restrict write permissions on Notepad++ configuration directories where feasible in managed environments

Patch Information

The fix is included in Notepad++ 8.9.6.1. Details are available in the GitHub Security Advisory GHSA-3x3f-3j39-pj3v and the upstream commit 6b3dc52.

text
 <NotepadPlus>
-	<Native-Langue name="English" filename="english.xml" version="8.9.5">
+	<Native-Langue name="English" filename="english.xml" version="8.9.6">

Source: Notepad++ commit 6b3dc52

Workarounds

  • Until patching is complete, remove or reset user-defined Run menu entries by clearing <UserDefinedCommands> in shortcuts.xml
  • Apply file integrity monitoring on shortcuts.xml to detect and roll back unauthorized modifications
  • Enforce application allowlisting to block execution of unexpected binaries spawned from notepad++.exe
bash
# Example: locate Notepad++ shortcuts.xml files and inspect user commands
Get-ChildItem -Path "$env:APPDATA\Notepad++\shortcuts.xml" -ErrorAction SilentlyContinue |
    ForEach-Object { Select-String -Path $_.FullName -Pattern "UserDefinedCommands|<Command" }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.