Improper verification of cryptographic signature in Notepad++ - CVE-2025-15556
Published: December 10, 2025 / Updated: February 13, 2026
Vulnerability identifier: #VU119798
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2025-15556
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Notepad++
Affected software:
Notepad++
Notepad++
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to the application does not verify certificate and signature of the downloaded update installer before installing an update. A remote attacker can perform MitM attack or place a malicious binary into the installation folder and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
How to mitigate CVE-2025-15556
Install updates from vendor's website.
Sources
- https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix
- https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb
- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab
- https://notepad-plus-plus.org/news/v889-released/