CVE-2026-48800

Published Jun 26, 2026

Last updated 14 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-48800 is an OS Command Injection vulnerability found in Notepad++, a popular text editor for Windows. This flaw specifically affects the `UserDefinedCommands` component within the `shortcuts.xml` file. The vulnerability arises from insufficient input validation of the `<Command>` tag, which is subsequently passed directly to the `ShellExecute` function as an executable path. Exploitation of CVE-2026-48800 could allow an attacker with local access to execute arbitrary code on the affected system. This vulnerability was addressed by the Notepad++ development team in version 8.9.6.1, released on May 26, 2026, as part of a patch for a trio of security issues.

Description
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:3658) in the feedUserCmds() function and stored in UserCommand._cmd without any validation. When the user clicks the corresponding entry in the Run menu, NppCommands.cpp:4264 creates a Command object with string2wstring(ucmd.getCmd()) and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. The injected command appears as a normal menu item in the Run menu, making it a viable persistence mechanism. This vulnerability is fixed in 8.9.6.1.
Source
security-advisories@github.com
NVD status
Modified
Products
notepad\+\+

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-78

Social media

Hype score
Not currently trending
  1. 🚨*CVE* CVE-2026-48800 Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the tag text content inside

    @infoflowcloud

    27 Jun 2026

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️ Vulnerabilidades en productos Notepad++ ❗ CVE-2026-48800 ❗ CVE-2026-48778 ➡️ Más info: https://t.co/YIct5soKdR https://t.co/vGNRxPAhql

    @CERTpy

    11 Jun 2026

    67 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2026-48778 &amp; CVE-2026-48800 | Notepad++ | CVSS 7.8 HIGH 🐛 Config file injection - fake Run menu entries execute attacker code and survive reboots ✅ Fixed: Notepad++ 8.9.6.1 (May 27) 🔗 https://t.co/4APJxtIc56 #CVE #Cybersecurity #InfoSec #PatchNow

    @mwbengtsson

    2 Jun 2026

    471 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Notepad++で深刻なコマンドインジェクションの脆弱性が2件修正。shortcuts.xmlからのCVE-2026-48800とconfig.xmlからのCVE-2026-48778。PoC(攻撃の概念実証コード)公開済み。 https://t.co/XVVXBpn5WN

    @__kokumoto

    1 Jun 2026

    1084 Impressions

    1 Retweet

    7 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  5. Notepad++ vulnerabilities could enable arbitrary code execution on Windows systems (CVE-2026-48778 and CVE-2026-48800) https://t.co/LpMC86gA0w #patchmanagement

    @eyalestrin

    30 May 2026

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. GitHub - atiilla/Notepad-8.9.6-PoC: Proof-of-concept scripts for three vulnerabilities in Notepad++ &lt;= 8.9.6, patched in v8.9.6.1 (2026-05-26) CVE-2026-48770 / CVE-2026-48778 / CVE-2026-48800 · GitHub - https://t.co/nSK5LtNkDy

    @piedpiper1616

    30 May 2026

    430 Impressions

    1 Retweet

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Se han revelado vulnerabilidades críticas (CVE-2026-48778 y CVE-2026-48800) en el popular editor Notepad++ que permiten la ejecución arbitraria de código (RCE). El fallo radica en la falta de validación de comandos dentro de los archivos de configuración (config.xml y https:

    @tpx_Security

    29 May 2026

    88 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Notepad++ &lt;= 8.9.6 Multiple Vulnerabilities (CVE-2026-48770, CVE-2026-48778, CVE-2026-48800) poc: https://t.co/hynIeZp5SS https://t.co/Et7ZKIEN5v

    @hackingspace

    29 May 2026

    272 Impressions

    0 Retweets

    3 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  9. csirt_it: ‼️ #Notepad++: disponibili #PoC per le CVE-2026-48800, CVE-2026-48778 e CVE-2026-48770 che interessano il noto editor di testo Rischio: 🔴 Tipologia: 🔸 Arbitrary Code Execution 🔸 Denial of Service 🔗 https://t.co/tG5AKVnGtJ 🔄 Aggiorname… https://

    @Vulcanux_

    28 May 2026

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨 اذا انت من الجيل القديم ولاتزال تستخدم Notepad++ حدّث البرنامج فوراً إلى الإصدار الأخير (v8.9.6.1). 📍 الثغرة الأولى: (CVE-2026-48770) 📍 الثغرة الثانية: (CVE-2026-48778) 📍

    @buhaimedi

    28 May 2026

    3715 Impressions

    4 Retweets

    35 Likes

    18 Bookmarks

    3 Replies

    0 Quotes

  11. ‼️ #Notepad++: disponibili #PoC per le CVE-2026-48800, CVE-2026-48778 e CVE-2026-48770 che interessano il noto editor di testo Rischio: 🔴 Tipologia: 🔸 Arbitrary Code Execution 🔸 Denial of Service 🔗 https://t.co/DEGdsIPlJS 🔄 Aggiornamenti disponibili 🔄 h

    @csirt_it

    28 May 2026

    253 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. برای ابزار پرکاربرد Notepad plus plus چندین آسیب پذیری از نوع Code execution با کدهای شناسایی CVE-2026-48770 و CVE-2026-48778 و CVE-2026-48800 منتشر شده است . برای امن سازی به نسخه 8.9.6.1 به رو

    @EthicalSafe

    28 May 2026

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations