CVE-2026-48778

Notepad++: Arbitrary Code Execution via config.xml commandLineInterpreter

CVSS 7.8 HIGHEPSS 1.4%CWE-78

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 7.8EPSS 1.4%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

30 May 2026Public PoC

26 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signature check. When the user triggers IDM_FILE_OPEN_CMD (File → Open Containing Folder → cmd), NppCommands.cpp:228 creates a Command object with this value and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. This vulnerability is fixed in 8.9.6.1.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

notepad-plus-plus · notepad-plus-plus

public PoCs found — 3

githubgithub.com/XK3NF4/CVE-2026-48778★ 7 githubgithub.com/kavin-jindal/CVE-2026-48778-PoC★ 0 exploitdbwww.exploit-db.com/exploits/52606unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/notepad-plus-plus/notepad-plus-plus/commit/24c7b5c63cece76dbc8c4f2607a27ebfe22fa614 https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9