Multiple critical vulnerabilities in Notepad++ allow attackers to execute arbitrary code

29 May 2026

Security researchers have identified multiple critical vulnerabilities in Notepad++ that could allow attackers to crash the application or execute arbitrary code through specially crafted XML configuration files.

 

The vulnerabilities are associated with the way Notepad++ processes XML structures and configuration files such as config.xml and shortcuts.xml. Attackers can exploit these flaws by tricking users into opening malicious XML or configuration files, potentially leading to system compromise.

 

Because Notepad++ is widely used by developers, administrators, and enterprise users, exploitation of these vulnerabilities may have a significant impact across corporate environments.

About the vulnerability

Vendor + Component 

Version affected 

CVE identifier  

About 

Severity 

Free and open source software (developed by Don Ho)  

 

XML configuration processing components  

 

 

Notepad++  

Versions prior to v8.9.6.1 

CVE-2026-48770 

Crash via malformed XML structure 

High  

CVE-2026-48778 

Arbitrary Code Execution via `config.xml` 

Critical 

CVE-2026-48800 

Arbitrary Code Execution via `shortcuts.xml` 

Critical 

What can attackers do with the vulnerabilities?

Attackers can:

 

  • Trigger application crashes using malformed XML content
  • Execute arbitrary code via malicious `config.xml` files
  • Exploit crafted `shortcuts.xml` files for code execution
  • Deliver payloads through phishing or malicious downloads
  • Gain unauthorized access to affected systems

 

Threats posed by the vulnerabilities

 

  • Arbitrary Code Execution (RCE)
  • System compromise
  • Malware deployment
  • Unauthorized access
  • Credential theft

SharkStriker’s recommendations

SharkStriker’s SOC team has:

  • initiated impact assessment for the specific vulnerabilities
  • Developed and shared the advisory
  • Reviewed the detection signatures for XML based exploitation
  • Enhanced endpoint monitoring for suspicious activities
  • Initiated threat hunting for malicious configuration file abuse and
  • Notified and made customers aware

 

SharkStriker’s recommendations:

  • Update Notepad++ to v8.9.6.1 immediately
  • Conduct enterprise-wide vulnerability assessment for outdated versions
  • Monitor endpoints for suspicious XML file activity
  • Restrict execution of untrusted configuration files
  • Implement enhanced endpoint detection policies

 

Official advisory: https://notepad-plus-plus.org/news/v8961-released/

Get in Touch With us

We have explored what risk tolerance and risk appetite are and how important they are together in helping businesses align cybersecurity with their business goals. It can help CISOs, and C-suite make informed investment decisions for cybersecurity.

LEARN MORE