Notepad++: Gaps allow injection of malware and commands
Partially high-risk security vulnerabilities in the powerful text editor Notepad++ allow attackers to inject malware and commands.
(Image: heise medien)
Another update is available for Notepad++. It closes three security vulnerabilities, two of which are classified as high-risk and allow attackers to smuggle in and execute commands or even malicious code.
In the release announcement for Notepad++ v8.9.6.1, developer Don Ho writes that the new version fixes the three vulnerabilities. In the configuration file “config.xml,” there is no restriction for the parameter “commandLineInterpreter,” so attackers with user privileges can adjust the entry or use a malicious .lnk file to start their files. To start this file, victims must select “File” – “Open Containing Folder” and then “Command Prompt (cmd)”. The solution involves restricting allowed entries to cmd.exe, powershell.exe, or bash.exe, performing a path check, and asking users for confirmation (CVE-2026-48778, CVSS 7.8, Risk “high”).
A similar vulnerability is opened by the “<Command>” tag within “<UserDefinedCommands>” in the “shortcuts.xml” file. This executes whatever is entered there after clicking the corresponding entry in the “Execute” menu of Notepad++. Here, user confirmation before execution should also help, or a warning if new entries appear that were not created via the program GUI (CVE-2026-48800, CVSS 7.8, Risk “high”). The third vulnerability allows local processes to send “WM_COPYDATA” messages to Notepad++; with prepared requests, this can cause Notepad++ to crash; a denial-of-service is possible (CVE-2026-48770, CVSS 5.0, Risk “medium”).
Videos by heise
Updated Software Version
The new version is available for download in various formats on the download page of the Notepad++ project. Users currently still have to download and manually overwrite the updated software. The integrated update mechanism of Notepad++ v8.9.5 reports that the software is up to date, so Ho has not yet released the new releases (including version v8.9.6) through it.
At the end of last week, Don Ho released version v8.9.6 of Notepad++. It closed a security vulnerability in the installer.
(dmk)
