Notepad++ has patched three security vulnerabilities in version v8.9.6.1, released May 26, 2026 — two of them critical. The worst, CVE-2026-48778, lets attackers plant a malicious executable path inside Notepad++'s config.xml file. When a user opens a folder via the command line menu, Windows runs the attacker's program instead. No validation, no warning.
A second critical flaw, CVE-2026-48800, works the same way but targets shortcuts.xml. Attack paths include modifying local config files, poisoning cloud-synced settings, or social engineering via archive extraction.
Anyone running v8.9.6 or earlier should update immediately from the official releases page.
Source: Cybersecurity News