Command injection in Notepad++ - #VU137486
Published: July 14, 2026
Notepad++
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to command injection in the NSIS installer script when processing an attacker-controlled installation directory in a PowerShell -Command string. A remote user can supply an installation path containing PowerShell expansion syntax to execute arbitrary code.
Exploitation requires Windows 11, the x64 or ARM64 installer path that performs MSIX context menu registration, and selection of the context menu component.