The developers behind Notepad++ have released version 8.9.6.1 to address multiple security vulnerabilities, including critical flaws that could expose users to remote code execution (RCE) attacks under certain conditions. The patched vulnerabilities, disclosed on May 26, 2026, include CVE-2026-48770, CVE-2026-48778, and CVE-2026-48800, all affecting Notepad++ versions up to 8.9.6.
The most serious of the patched flaws is CVE-2026-48778, a high-severity vulnerability stemming from improper handling of configuration data in the widely used Windows text editor. Security researchers warned that the flaw could allow attackers to execute arbitrary commands by manipulating application settings files.
CVE-2026-48778: Critical Notepad++ RCE Vulnerability
The vulnerability tracked as CVE-2026-48778 originates from the way Notepad++ processes entries within the config.xml file. Specifically, the issue affects the <GUIConfig name=”commandLineInterpreter”> parameter, which the application reads without applying validation, integrity checks, or allowlist restrictions.
According to the vulnerability details, Notepad++ later uses this parameter when a user selects the “Open Containing Folder in cmd” feature. Because the value is not properly sanitized, an attacker can alter the executable path and force the application to launch unintended programs.
Researchers demonstrated the exploitability of CVE-2026-48778 through a proof-of-concept attack that replaced the expected command prompt behavior with the execution of calc.exe. Triggering the feature caused the Windows Calculator application to open, confirming that arbitrary code execution was possible through malicious configuration manipulation.
The flaw has been classified under CWE-78, which covers OS Command Injection vulnerabilities. Despite requiring user interaction, the vulnerability has drawn concern because of its low attack complexity and lack of privilege requirements, making it a realistic threat in enterprise and personal computing environments.
Multiple Attack Vectors Increase RCE Risk
Although CVE-2026-48778 is not considered a fully automated exploit, researchers noted several practical attack paths that could still make the Notepad++ flaw dangerous in real-world scenarios.
One potential method involves directly modifying the %APPDATA%\Notepad++\config.xml file under the current user context. Attackers may also distribute specially crafted shortcut files that abuse the -settingsDir parameter to redirect the application toward attacker-controlled configuration directories.
Additional attack scenarios include poisoning cloud-synchronized configuration paths supported by Notepad++ or relying on social engineering tactics to convince users to extract malicious archives into AppData directories. These techniques could allow threat actors to weaponize trusted workflows without immediately attracting attention.
Because Notepad++ is widely deployed across developer systems, administrative environments, and enterprise workstations, the possibility of RCE exploitation through manipulated configuration files significantly increases the security impact of CVE-2026-48778.
CVE-2026-48770 and CVE-2026-48800 Also Patched
In addition to the primary RCE vulnerability, the latest Notepad++ update addresses two other security flaws.
CVE-2026-48770 involves a crash vulnerability triggered by malformed structures. Successful exploitation could lead to denial-of-service conditions that disrupt the normal functioning of the application.
Meanwhile, CVE-2026-48800 is another arbitrary code execution issue associated with improper handling of the shortcuts.xml file. Like CVE-2026-48778, this flaw demonstrates the broader security risks tied to unsafe processing of configuration and shortcut-related data.
The disclosure of CVE-2026-48770 and CVE-2026-48778 highlights the growing attention being placed on configuration-based attack surfaces within desktop applications. Security researchers have repeatedly warned that insufficient validation of locally stored configuration files can create opportunities for privilege abuse and command execution.
Notepad++ Users Urged to Install Security Update
Users and organizations are being advised to upgrade immediately to Notepad++ version 8.9.6.1 to mitigate exposure to CVE-2026-48770, CVE-2026-48778, and CVE-2026-48800.
The updated release improves the way the application handles configuration data and reduces the likelihood of malicious executable paths being processed through internal features.
Security experts also recommend additional defensive measures beyond patching. These include monitoring sensitive configuration files for unauthorized modifications, restricting write permissions to application directories, and validating executable paths wherever possible.
