The developers behind Notepad++ have released version 8.9.6.1 to address multiple security vulnerabilities, including critical flaws that could expose users to remote code execution (RCE) attacks under certain conditions. The patched vulnerabilities, disclosed on May 26, 2026, include CVE-2026-48770, CVE-2026-48778, and CVE-2026-48800, all affecting Notepad++ versions up to 8.9.6. 

The most serious of the patched flaws is CVE-2026-48778, a high-severity vulnerability stemming from improper handling of configuration data in the widely used Windows text editor. Security researchers warned that the flaw could allow attackers to execute arbitrary commands by manipulating application settings ...