CVE Catalog

CVE-2026-48800

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

Notepad++ prior to version 8.9.6.1 contains a vulnerability due to missing validation of the <Command> tag content in shortcuts.xml. An attacker can inject arbitrary commands that execute when the user clicks the corresponding entry in the Run menu.

Risk Assessment

The risk involves a potential persistence mechanism where a malicious command is injected as a Run menu item. Users may unknowingly execute harmful code, leading to system compromise.

Recommendation

Update Notepad++ to version 8.9.6.1 or later immediately. Additionally, review shortcuts.xml for unauthorized entries in the <UserDefinedCommands> section.

Original NVD description (English source)

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:3658) in the feedUserCmds() function and stored in UserCommand._cmd without any validation. When the user clicks the corresponding entry in the Run menu, NppCommands.cpp:4264 creates a Command object with string2wstring(ucmd.getCmd()) and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. The injected command appears as a normal menu item in the Run menu, making it a viable persistence mechanism. This vulnerability is fixed in 8.9.6.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS