Notepad++: Update fixes installer vulnerability

In its new version 8.9.6, Notepad++ closes a security vulnerability in the installer. The risk assessment is not yet clear, and a listed CVE entry has not yet been published.

In the release announcement, Notepad++ developer Don Ho writes that the vulnerability affects versions 8.9.4 and 8.9.5 of Notepad++, although some installer-related regressions were already fixed in the latter version. This is the vulnerability with the CVE entry CVE-2026-46710, which has not yet been published. The CERT-Bund from the Federal Office for Information Security (BSI) assesses the severity according to CVSS as 7.3, classifying it as a “high” risk.

According to old programmer doctrine, the code is currently the documentation. In the commit related to the vulnerability, Ho writes that the file path is now retrieved from the registry instead of being hardcoded. This refers to the call of “powershell”, which was previously called without any path. This at least suggests the possibility that an attacker could place a malicious file named “powershell.exe” in the Windows search path, which would then be executed when starting an installation or update.

Apply update manually

The updated version can be found on the Notepad++ download website. At the time of reporting, the internal update mechanism reports that there is no generally available update after v8.9.5. Calling “winget upgrade --all” in the Windows command prompt also does not yet bring up the updated version of the powerful text tool. Therefore, anyone who wants to protect themselves now must take action themselves and download and install the update.

At the end of last year, a security vulnerability in Notepad++'s update mechanism was exploited by state actors. They used it to install malware on victims' computers.

(dmk)