Multiple critical vulnerabilities in Notepad++ allow attackers to execute arbitrary code
29 May 2026
Security researchers have identified multiple critical vulnerabilities in Notepad++ that could allow attackers to crash the application or execute arbitrary code through specially crafted XML configuration files.
The vulnerabilities are associated with the way Notepad++ processes XML structures and configuration files such as config.xml and shortcuts.xml. Attackers can exploit these flaws by tricking users into opening malicious XML or configuration files, potentially leading to system compromise.
Because Notepad++ is widely used by developers, administrators, and enterprise users, exploitation of these vulnerabilities may have a significant impact across corporate environments.
About the vulnerability
|
Vendor + Component |
Version affected |
CVE identifier |
About |
Severity |
|
Free and open source software (developed by Don Ho)
XML configuration processing components
|
Notepad++ Versions prior to v8.9.6.1 |
CVE-2026-48770 |
Crash via malformed XML structure |
High |
|
CVE-2026-48778 |
Arbitrary Code Execution via `config.xml` |
Critical |
||
|
CVE-2026-48800 |
Arbitrary Code Execution via `shortcuts.xml` |
Critical |
What can attackers do with the vulnerabilities?
Attackers can:
- Trigger application crashes using malformed XML content
- Execute arbitrary code via malicious `config.xml` files
- Exploit crafted `shortcuts.xml` files for code execution
- Deliver payloads through phishing or malicious downloads
- Gain unauthorized access to affected systems
Threats posed by the vulnerabilities
- Arbitrary Code Execution (RCE)
- System compromise
- Malware deployment
- Unauthorized access
- Credential theft
SharkStriker’s recommendations
SharkStriker’s SOC team has:
- initiated impact assessment for the specific vulnerabilities
- Developed and shared the advisory
- Reviewed the detection signatures for XML based exploitation
- Enhanced endpoint monitoring for suspicious activities
- Initiated threat hunting for malicious configuration file abuse and
- Notified and made customers aware
SharkStriker’s recommendations:
- Update Notepad++ to v8.9.6.1 immediately
- Conduct enterprise-wide vulnerability assessment for outdated versions
- Monitor endpoints for suspicious XML file activity
- Restrict execution of untrusted configuration files
- Implement enhanced endpoint detection policies
Official advisory: https://notepad-plus-plus.org/news/v8961-released/