CVE-2026-48778
HighCVSS 7.8Exploitation Probability (EPSS)
Elevated risk68th percentile — higher than 68% of all known CVEs
Summary
Notepad++ prior to version 8.9.6.1 has a vulnerability due to missing validation of the <GUIConfig name="commandLineInterpreter"> tag in config.xml. An attacker can modify this file to execute arbitrary commands with user privileges when the console is opened via File → Open Containing Folder → cmd.
Risk Assessment
The risk involves remote or local arbitrary code execution after delivering a crafted configuration file. The organization is exposed to workstation takeover, data theft, or malware installation.
Recommendation
Immediately update Notepad++ to version 8.9.6.1 or later. Additionally, restrict write permissions to config.xml and implement configuration file integrity checks.
Original NVD description (English source)
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signature check. When the user triggers IDM_FILE_OPEN_CMD (File → Open Containing Folder → cmd), NppCommands.cpp:228 creates a Command object with this value and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. This vulnerability is fixed in 8.9.6.1.

