CVE Catalog

CVE-2026-48778

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.37%

68th percentile — higher than 68% of all known CVEs

Summary

Notepad++ prior to version 8.9.6.1 has a vulnerability due to missing validation of the <GUIConfig name="commandLineInterpreter"> tag in config.xml. An attacker can modify this file to execute arbitrary commands with user privileges when the console is opened via File → Open Containing Folder → cmd.

Risk Assessment

The risk involves remote or local arbitrary code execution after delivering a crafted configuration file. The organization is exposed to workstation takeover, data theft, or malware installation.

Recommendation

Immediately update Notepad++ to version 8.9.6.1 or later. Additionally, restrict write permissions to config.xml and implement configuration file integrity checks.

Original NVD description (English source)

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signature check. When the user triggers IDM_FILE_OPEN_CMD (File → Open Containing Folder → cmd), NppCommands.cpp:228 creates a Command object with this value and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. This vulnerability is fixed in 8.9.6.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS