Notepad++: Security update against code smuggling vulnerability

Notepad++ has been released in version 8.9.2. The new version improves security mechanisms and closes a highly risky security vulnerability through which attackers can execute arbitrary code.

In the release announcement of Notepad++ 8.9.2, developer Don Ho writes that he has improved security and closed another security vulnerability. Improvements include the updater now checking the integrity and authenticity of the XML returned by the server; it uses XMLDSig, i.e., cryptographic signatures. The automatic updater WinGUp removes two curl options, integrates the curl library statically instead of loading it dynamically (and thus potentially vulnerable), and only starts signed programs. This also contributes to hardening security.

Furthermore, Notepad++ 8.9.2 closes a security vulnerability that can occur when the Windows Explorer is started without an absolute path to the executable file. This could lead to a manipulated "explorer.exe" being started if attackers can access the process's working directory. This would lead to the execution of arbitrary code in the context of the running application (CVE-2026-25926, CVSS 7.3, Risk "high").

Update closes vulnerabilities and fixes bugs

In addition to these security-relevant fixes, the new version also brings further bug fixes. For example, the plug-in installation no longer crashes in some situations. There was a regression in the context menu where localization shortcuts were not right-aligned. And new is a function "Edit selection".

Notepad++ users and IT managers should install the available update quickly. Downloads for different platforms as well as the source codes are also available in the release announcement.

The security vulnerability in the Notepad++ updater became known in December last year. Investigation results from early February show that the attackers who had been using it to distribute malware were apparently state actors.

(dmk)