Notepad++ <= 8.9.6 Multiple Vulnerabilities (CVE-2026-48770, CVE-2026-48778, CVE-2026-48800)
by atiilla · 2026-05-28
- Severity
- High
- CVE
- CVE-2026-48770, CVE-2026-48778, CVE-2026-48800
- Category
- binary
- Affected product
- Notepad++
- Affected versions
- Notepad++ <= 8.9.6
- Disclosed
- 2026-05-28
- Patch status
- unpatched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-28 |
| Last Updated | N/A |
| Author / Researcher | atiilla |
| CVE / Advisory | CVE-2026-48770, CVE-2026-48778, CVE-2026-48800 |
| Category | binary |
| Severity | High |
| CVSS Score | 5.0 / 7.8 / 7.8 |
| Status | Patched |
| Tags | Notepad++, Windows, OOB-read, DoS, command-injection, config.xml, shortcuts.xml, local |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Notepad++ |
| Versions Affected | Notepad++ <= 8.9.6 |
| Language / Platform | Python, PowerShell, XML payloads on Windows 10/11 |
| Authentication Required | Partial (local user/session interaction) |
| Network Access Required | Local only |
Summary
This PoC set covers three Notepad++ vulnerabilities affecting versions up to 8.9.6. CVE-2026-48770 demonstrates an out-of-bounds read crash by sending malformed WM_COPYDATA data to a running Notepad++ process. CVE-2026-48778 and CVE-2026-48800 demonstrate command execution by controlling values loaded from config.xml and shortcuts.xml, then triggering Notepad++ UI actions that pass attacker-controlled values to process launch functionality.
Vulnerability Details
Root Cause
- CVE-2026-48770: unsafe message handling for
WM_COPYDATA(dwData=3) allows reading beyond expected bounds when input is not properly terminated. - CVE-2026-48778:
commandLineInterpreterfrom%APPDATA%\\Notepad++\\config.xmlis trusted and later invoked through UI flow without sufficient validation. - CVE-2026-48800:
<UserDefinedCommands>entries from%APPDATA%\\Notepad++\\shortcuts.xmlare loaded and passed to command execution paths without sanitization.
Attack Vector
- CVE-2026-48770: attacker process in the same interactive Windows session sends crafted
WM_COPYDATAto a running Notepad++ instance. - CVE-2026-48778: attacker-controlled
config.xml(direct overwrite or-settingsDir) is loaded; user triggers File -> Open Containing Folder -> cmd. - CVE-2026-48800: attacker-controlled
shortcuts.xml(direct overwrite or-settingsDir) is loaded; user clicks injected command in the Run menu.
Impact
- CVE-2026-48770: application crash / denial of service.
- CVE-2026-48778: arbitrary command execution in user context.
- CVE-2026-48800: arbitrary command execution in user context.
Environment / Lab Setup
OS: Windows 10/11
Target: Notepad++ <= 8.9.6
Attacker: Authorized local tester in same session
Tools: Python 3.x, PowerShell, Notepad++
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
CVE-2026-48770 (crash)
1 2 3powershell -ExecutionPolicy Bypass -File payloads\poc_CVE-2026-48770.ps1 # or: python poc_CVE-2026-48770.pyCVE-2026-48778 (config.xml command execution)
1 2 3python poc_CVE-2026-48778.py --mode direct --payload calc.exe # Trigger in Notepad++: File -> Open Containing Folder -> cmd python poc_CVE-2026-48778.py --mode direct --restoreCVE-2026-48800 (shortcuts.xml command execution)
1 2 3python poc_CVE-2026-48800.py --mode direct --payload calc.exe --name "System Update Check" # Restart Notepad++, then click Run -> System Update Check python poc_CVE-2026-48800.py --mode direct --restore
Exploit Code
See
poc_CVE-2026-48770.py,poc_CVE-2026-48778.py, andpoc_CVE-2026-48800.pyin this folder.
Expected Output
[+] Found Notepad++ HWND: 0x000A08B4
[*] Sending malformed WM_COPYDATA (dwData=3, cbData=8192, no NUL terminator)...
[+] SendMessageTimeout returned 0 - Notepad++ likely crashed (OOB read -> 0xc0000005)
Screenshots / Evidence
- Upstream repository includes a demo animation (
demo.gif) showing CVE-2026-48778 trigger flow. - Add local lab screenshots under
screenshots/if additional evidence is needed.
Detection & Indicators of Compromise
- Unexpected changes to %APPDATA%\Notepad++\config.xml or shortcuts.xml
- Unexpected process execution (for example calc.exe) spawned from Notepad++ UI actions
- Crash events for notepad++.exe with access violation signatures around WM_COPYDATA handling
Remediation
| Action | Detail |
|---|---|
| Patch | Update Notepad++ to 8.9.6.1 or later |
| Workaround | Restrict write access to %APPDATA%\\Notepad++ files; avoid loading untrusted settings directories |
| Config Hardening | Monitor/alert on suspicious changes to config.xml and shortcuts.xml; enforce application allowlisting |
References
- Source Repository — atiilla/Notepad-8.9.6-PoC
- Notepad++ Downloads / Release Channel
- GHSA-r39g-3mcw-xcg2
- GHSA-7hm3-wp5q-ccv9
- GHSA-3x3f-3j39-pj3v
Notes
Auto-ingested from https://github.com/atiilla/Notepad-8.9.6-PoC on 2026-05-28.
| |