CVE Catalog

CVE-2026-52884

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

Notepad++ version 8.9.6.1 has a vulnerability where the isInTrustedDirectory() function does not canonicalize the path before checking. It uses a prefix-based check that can be bypassed with a path containing ..\..\ after a trusted directory prefix, resolving to an untrusted location. This issue is fixed in version 8.9.6.2.

Risk Assessment

An attacker could exploit this vulnerability to execute arbitrary executables outside the trusted directory, potentially leading to code execution in the context of the Notepad++ user.

Recommendation

Immediately update Notepad++ to version 8.9.6.2 or later, which includes the fix for this vulnerability.

Original NVD description (English source)

Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a trusted directory prefix passes the check while resolving to an untrusted location. The CVE-2026-48800 patch adds isInTrustedDirectory() validation in Command::run() (RunDlg.cpp) before calling ShellExecute(). This function checks whether the resolved executable path is under a trusted directory. This vulnerability is fixed in 8.9.6.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS