SB2026071473 - Multiple vulnerabilities in Notepad++
Published: July 14, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Command injection (CVE-ID: N/A)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to command injection in the NSIS installer script when processing an attacker-controlled installation directory in a PowerShell -Command string. A remote user can supply an installation path containing PowerShell expansion syntax to execute arbitrary code.
Exploitation requires Windows 11, the x64 or ARM64 installer path that performs MSIX context menu registration, and selection of the context menu component.
2) Insufficient verification of data authenticity (CVE-ID: N/A)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute commands with elevated privileges.
The vulnerability exists due to insufficient verification of data authenticity in the shortcuts.xml macro processing path when loading an attacker-controlled shortcuts.xml through a settings directory consumed by an elevated Notepad++ instance. A local user can supply a crafted shortcuts.xml containing macros to execute commands with elevated privileges.
Exploitation is conditional on influencing the settings directory used by an elevated Notepad++ process and triggering the macro path.
3) Path traversal (CVE-ID: CVE-2026-57233)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to path traversal in WinGup decompress() plugin extraction routine when extracting a crafted plugin zip archive. A local user can supply a specially crafted archive with traversal sequences to execute arbitrary code.
Code execution occurs when Notepad++ later loads the overwritten plugin DLL.
4) Stack-based buffer overflow (CVE-ID: CVE-2026-54758)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to stack-based buffer overflow in expandNppEnvironmentStrs when parsing a variable name in the Run dialog input. A remote attacker can trick the victim into processing a specially crafted variable reference to cause a denial of service.
User interaction is required to open the Run dialog and submit crafted input.
5) Path traversal (CVE-ID: CVE-2026-52886)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to path traversal in the session.xml backupFilePath attribute validation when restoring a session file in snapshot mode. A local user can inject a crafted traversal path into session.xml to disclose sensitive information.
On the next application launch with snapshot mode active, the target file content is loaded into an editor tab after the operating system resolves parent-directory traversal sequences.
Remediation
Install update from vendor's website.
References
- https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-gp2r-262h-9hgf
- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/3764d5b72664ef95421bc53bcb204f9b977d346b
- https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-f4rj-vqq4-wvg4
- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/7686e5a3025eaf1fb8e024c2ceb54670ea05f5fb
- https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-hjxw-84rf-wg5r
- https://github.com/notepad-plus-plus/wingup/commit/7670296a5c7fdec624e0a45dbde51059a7d735a8
- https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-gv94-327x-2gc5
- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/0a9527e9f7140a2323e25d14e362b46ee0efc3db
- https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-rqfm-pw34-r7j6
- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/7e66f36db666a13b09fb5c31232ab2ca1c2ebccc