Critical Notepad++ Flaws Let Attackers Run Malicious Code — Update Now

Update Notepad++ to v8.9.6.1 to patch critical security flaws, including CVE-2026-48778, preventing malicious executable path attacks.

By Content Team

May 28, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Notepad++ has patched three security vulnerabilities in version v8.9.6.1, released May 26, 2026 — two of them critical. The worst, CVE-2026-48778, lets attackers plant a malicious executable path inside Notepad++'s config.xml file. When a user opens a folder via the command line menu, Windows runs the attacker's program instead. No validation, no warning.

A second critical flaw, CVE-2026-48800, works the same way but targets shortcuts.xml. Attack paths include modifying local config files, poisoning cloud-synced settings, or social engineering via archive extraction.

Anyone running v8.9.6 or earlier should update immediately from the official releases page.

Source: Cybersecurity News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Foxconn Hit by Major Cyberattack at North American Factories

May 14, 2026

Critical Zero-Click Flaw in AVideo Platform Enables Complete Server Takeover

Mar 11, 2026

Critical Zero-Click Flaw Lets Hackers Hijack FreeScout Mail Servers

Mar 6, 2026

Supply Chain Attack "Mini Shai-Hulud" Hits 1,800 Developers Across SAP, Lightning, and Intercom

May 2, 2026