CVE-2026-52884
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
Notepad++ version 8.9.6.1 has a vulnerability where the isInTrustedDirectory() function does not canonicalize the path before checking. It uses a prefix-based check that can be bypassed with a path containing ..\..\ after a trusted directory prefix, resolving to an untrusted location. This issue is fixed in version 8.9.6.2.
Risk Assessment
An attacker could exploit this vulnerability to execute arbitrary executables outside the trusted directory, potentially leading to code execution in the context of the Notepad++ user.
Recommendation
Immediately update Notepad++ to version 8.9.6.2 or later, which includes the fix for this vulnerability.
Original NVD description (English source)
Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a trusted directory prefix passes the check while resolving to an untrusted location. The CVE-2026-48800 patch adds isInTrustedDirectory() validation in Command::run() (RunDlg.cpp) before calling ShellExecute(). This function checks whether the resolved executable path is under a trusted directory. This vulnerability is fixed in 8.9.6.2.

