SB2026053104 - Improper access control in Notepad++

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to improper access control in command execution from shortcuts.xml when invoking trusted executables from allowed directories. A local user can specify a trusted launcher such as cmd.exe, powershell.exe, or rundll32.exe with attacker-controlled arguments to execute arbitrary code.

The issue occurs without a warning dialog because the executable itself resides in a trusted directory even though its arguments can launch arbitrary commands.

Remediation

Install update from vendor's website.

References

• https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-p58x-r3c9-x9p6
• https://github.com/notepad-plus-plus/notepad-plus-plus/commit/ea1508855e9c4528f6198ce9d345f13cb759ebf4