CVE-2026-48770

Notepad++ WM_COPYDATA COPYDATA_FULL_CMDLINE local DoS crash

CVSS 5 MEDIUMEPSS 0.3%CWE-125

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

28 May 2026Public PoC

26 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* instead of enforcing COPYDATASTRUCT.cbData. This vulnerability is fixed in 8.9.6.1.

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Affected products

notepad-plus-plus · notepad-plus-plus

public PoCs found — 1

githubgithub.com/atiilla/Notepad-8.9.6-PoC★ 5

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/notepad-plus-plus/notepad-plus-plus/commit/f20a0888a92ce557a339b833cd9d9d8e97dc797d https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-r39g-3mcw-xcg2