Multiple Critical RCE Flaws Discovered in Notepad++ Affect Millions of Windows Users

1. Vulnerability Overview

Notepad++ is one of the most popular Windows text editors, widely used by developers, operations engineers, and students. Three vulnerabilities have been disclosed:

CVE-2026-48778 – Command injection via config.xml (CVSS 8.8, high severity).

CVE-2026-48800 – Code execution via shortcuts.xml (severity not disclosed).

CVE-2026-48770 – Denial‑of‑service caused by malformed XML (severity not disclosed).

CVE-2026-48778 is the most severe, with low attack complexity and the ability to execute arbitrary commands under the current user’s privileges, which on many Windows machines means full administrator control.

2. Technical Details: How Attack Works

2.1 CVE-2026-48778 – config.xml command injection

The editor’s configuration files reside in %APPDATA%\Notepad++\. The XML tag <GUIConfig name="commandLineInterpreter"> can be manipulated to inject any command. An attacker only needs to replace the legitimate config.xml with a malicious version; the commands run silently when Notepad++ starts or invokes the interpreter, without any security warning.

With a CVSS score of 8.8, the vulnerability requires only low‑complexity exploitation to gain code execution at the current user level, which often translates to full system compromise on Windows machines where users run as administrators.

2.2 CVE-2026-48800 – shortcuts.xml code execution

The shortcuts.xml file stores custom shortcut bindings and is also placed under %APPDATA%\Notepad++\. By inserting a malicious configuration entry, code execution occurs when Notepad++ loads the shortcut list. Although the vendor has not released detailed technical data, the attack path mirrors that of CVE-2026-48778, exploiting the same lack of content validation.

2.3 CVE-2026-48770 – malformed XML DoS

This vulnerability is simpler: a crafted malformed XML file causes Notepad++ to crash during parsing. While it only affects availability, the resulting downtime can be costly for users who rely on Notepad++ for log analysis or code editing.

3. Domestic Impact: Why It Matters Locally

Notepad++ enjoys an extremely large user base in China. Unlike VS Code or Sublime Text, it is portable, starts instantly, and handles Chinese encoding well, making it ubiquitous in university labs, government offices, and traditional enterprise IT environments.

The widespread adoption creates two major security concerns:

Phishing and supply‑chain attacks: malicious “green cracked” or “enhanced plugin” versions may embed malicious configuration files, tricking inexperienced students and operators who cannot verify file integrity.

Internal lateral movement: after compromising a domain machine, an attacker can drop a malicious config.xml into %APPDATA%\Notepad++\ on other machines; the next launch of Notepad++ automatically executes the payload, requiring only write access to the directory.

4. Mitigation Recommendations

Upgrade Notepad++ immediately from the official website or the GitHub Releases page; avoid third‑party distribution channels.

Verify the integrity of config.xml and shortcuts.xml in %APPDATA%\Notepad++\; look for unexpected <GUIConfig name="commandLineInterpreter"> tags or abnormal XML structures.

Do not download unofficial or “enhanced” builds that may already contain malicious configuration files.

In enterprise settings, employ Endpoint Detection and Response (EDR) solutions to monitor write activity to %APPDATA%\Notepad++\ and alert on suspicious changes.

5. Conclusion

All three flaws stem from a single design weakness: the lack of validation for configuration files. The vulnerabilities give attackers a low‑effort, high‑impact path to compromise millions of Windows users. Prompt patching and configuration‑file integrity checks are essential to mitigate the risk.