The Vulnerabilities
Notepad++, the popular open-source text editor for Windows, has issued an emergency security update to address three vulnerabilities, including two critical flaws that could allow attackers to execute arbitrary code on a victim’s machine. The most severe issue involves the config.xml file, where an attacker can inject a malicious command interpreter string through the “commandLineInterpreter” tag. The editor stores this value without any validation or signature check, and when the user triggers a specific file menu command, the application passes the attacker-controlled string directly to a system function that executes it.
How Exploitation Works
The attack can be carried out through several realistic methods. A malicious process running under the same user account can directly modify the config.xml file. Attackers can also use malicious shortcut files that redirect Notepad++ to an attacker-controlled settings directory. Cloud sync poisoning is another vector, as Notepad++ supports user-configurable cloud paths where a compromised cloud storage account could deliver a tampered configuration. Social engineering through archive extraction tricking users into extracting malicious files into the AppData folder is also a viable path.
Mitigation and Recommendations
The development team released version 8.9.6.1 on May 26, 2026, patching all three vulnerabilities. Users running version 8.9.6 or earlier should update immediately. Security researchers also recommend that Notepad++ developers implement a whitelist of permitted command-line interpreters, such as cmd.exe and powershell.exe, to prevent future attacks of this nature.
Source: Cyber Security News
