CVE-2026-48800
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
Notepad++ prior to version 8.9.6.1 contains a vulnerability due to missing validation of the <Command> tag content in shortcuts.xml. An attacker can inject arbitrary commands that execute when the user clicks the corresponding entry in the Run menu.
Risk Assessment
The risk involves a potential persistence mechanism where a malicious command is injected as a Run menu item. Users may unknowingly execute harmful code, leading to system compromise.
Recommendation
Update Notepad++ to version 8.9.6.1 or later immediately. Additionally, review shortcuts.xml for unauthorized entries in the <UserDefinedCommands> section.
Original NVD description (English source)
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:3658) in the feedUserCmds() function and stored in UserCommand._cmd without any validation. When the user clicks the corresponding entry in the Run menu, NppCommands.cpp:4264 creates a Command object with string2wstring(ucmd.getCmd()) and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. The injected command appears as a normal menu item in the Run menu, making it a viable persistence mechanism. This vulnerability is fixed in 8.9.6.1.

