CVE-2026-48800 Overview
CVE-2026-48800 is a command injection vulnerability in Notepad++, a widely used free and open-source source code editor for Windows. Versions prior to 8.9.6.1 fail to validate the <Command> tag content inside <UserDefinedCommands> in shortcuts.xml. An attacker who can write to this configuration file can inject an arbitrary executable path that Notepad++ launches when the user selects the corresponding Run menu entry. The injected command appears as a normal menu item, providing a stealthy persistence mechanism on the victim's system. The issue is tracked under [CWE-78] and is fixed in version 8.9.6.1.
Critical Impact
Attackers with local file write access can achieve arbitrary code execution and persistence through malicious Run menu entries invoked via ShellExecute.
Affected Products
- Notepad++ versions prior to 8.9.6.1
- Windows installations of Notepad++ using shortcuts.xml configuration
- All user profiles where Notepad++ reads user-defined commands from disk
Discovery Timeline
- 2026-06-26 - CVE-2026-48800 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-48800
Vulnerability Analysis
The vulnerability is a command injection flaw in the handling of user-defined commands loaded from shortcuts.xml. Notepad++ reads the <Command> tag text content inside <UserDefinedCommands> using NppXml::value(aNode) at Parameters.cpp:3658 within the feedUserCmds() function. The parsed string is stored directly in UserCommand._cmd without sanitization or validation.
When the user selects the corresponding entry in the Run menu, NppCommands.cpp:4264 constructs a Command object via string2wstring(ucmd.getCmd()) and calls run(). This chain terminates in a ShellExecute call at RunDlg.cpp:221, which executes the attacker-controlled string as the target executable path.
Root Cause
The root cause is missing input validation on external XML configuration data before passing it to a Windows shell execution API. Notepad++ treats the contents of shortcuts.xml as trusted, but this file resides in a user-writable location. Any process capable of writing to the user's configuration directory can inject arbitrary commands that later execute in the context of the Notepad++ user.
Attack Vector
Exploitation requires local file write access to the victim's Notepad++ configuration directory and one user interaction (clicking the malicious Run menu entry). A public proof of concept is available in the atiilla/Notepad-8.9.6-PoC repository, which drops a crafted shortcuts.xml payload.
.
├── README.md
├── poc_CVE-2026-48770.py # OOB read crash (ctypes)
├── poc_CVE-2026-48778.py # RCE via config.xml
├── poc_CVE-2026-48800.py # RCE via shortcuts.xml
└── payloads/
├── config.xml # Drop-in payload (CVE-2026-48778)
├── shortcuts.xml # Drop-in payload (CVE-2026-48800)
└── poc_CVE-2026-48770.ps1 # OOB read crash (PowerShell)
Source: atiilla/Notepad-8.9.6-PoC
Detection Methods for CVE-2026-48800
Indicators of Compromise
- Modifications to shortcuts.xml in the Notepad++ configuration directory from processes other than notepad++.exe
- Unexpected <UserDefinedCommands> entries referencing executables, scripts, or LOLBins such as cmd.exe, powershell.exe, mshta.exe, or rundll32.exe
- notepad++.exe spawning child processes that do not correspond to legitimate developer workflows
Detection Strategies
- Monitor process creation events where the parent process is notepad++.exe and the child is a shell or scripting interpreter
- Baseline the contents of shortcuts.xml in user profiles and alert on unauthorized changes
- Correlate file writes to %APPDATA%\Notepad++\shortcuts.xml with subsequent execution of unusual binaries
Monitoring Recommendations
- Enable command-line auditing on Windows endpoints to capture arguments passed via ShellExecute chains
- Track version information for deployed Notepad++ installations to identify hosts still running versions below 8.9.6.1
- Review Sysmon Event ID 1 (Process Create) and Event ID 11 (FileCreate) for suspicious activity involving Notepad++ configuration files
How to Mitigate CVE-2026-48800
Immediate Actions Required
- Upgrade all Notepad++ installations to version 8.9.6.1 or later
- Audit existing shortcuts.xml files across user profiles for unexpected <UserDefinedCommands> entries and remove any unrecognized commands
- Restrict write permissions on Notepad++ configuration directories where feasible in managed environments
Patch Information
The fix is included in Notepad++ 8.9.6.1. Details are available in the GitHub Security Advisory GHSA-3x3f-3j39-pj3v and the upstream commit 6b3dc52.
<NotepadPlus>
- <Native-Langue name="English" filename="english.xml" version="8.9.5">
+ <Native-Langue name="English" filename="english.xml" version="8.9.6">
Source: Notepad++ commit 6b3dc52
Workarounds
- Until patching is complete, remove or reset user-defined Run menu entries by clearing <UserDefinedCommands> in shortcuts.xml
- Apply file integrity monitoring on shortcuts.xml to detect and roll back unauthorized modifications
- Enforce application allowlisting to block execution of unexpected binaries spawned from notepad++.exe
# Example: locate Notepad++ shortcuts.xml files and inspect user commands
Get-ChildItem -Path "$env:APPDATA\Notepad++\shortcuts.xml" -ErrorAction SilentlyContinue |
ForEach-Object { Select-String -Path $_.FullName -Pattern "UserDefinedCommands|<Command" }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

