SB20251210170 - Insecure update installation in Notepad++
Published: December 10, 2025 Updated: December 11, 2025
Security Bulletin ID
SB20251210170
Severity
Critical
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper verification of cryptographic signature (CVE-ID: N/A)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to the application does not verify certificate and signature of the downloaded update installer before installing an update. A remote attacker can perform MitM attack or place a malicious binary into the installation folder and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Remediation
Install update from vendor's website.
References
- https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix
- https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb
- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab
- https://notepad-plus-plus.org/news/v889-released/