Two arbitrary code execution vulnerabilities in Notepad++ let local attackers run commands of their choice on Windows machines by tampering with the editor’s XML configuration files, with both flaws rated High at CVSS 7.8.
The flaws, tracked as CVE-2026-48778 and CVE-2026-48800, affect every version of the editor up to and including 8.9.6, Notepad++ said in a release note. However, the vulnerabilities were patched the same day in version 8.9.6.1, alongside a third lower-severity crash bug, CVE-2026-48770, Notepad ++ author Dun Ho wrote in the release note.
The two code execution flaws share a single design weakness. Notepad++ stores user choices, such as the path to the command-line interpre...