Command injection in Notepad++ - #VU137486

 

Command injection in Notepad++ - #VU137486

Published: July 14, 2026


Vulnerability identifier: #VU137486
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Notepad++
Affected software:
Notepad++

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to command injection in the NSIS installer script when processing an attacker-controlled installation directory in a PowerShell -Command string. A remote user can supply an installation path containing PowerShell expansion syntax to execute arbitrary code.

Exploitation requires Windows 11, the x64 or ARM64 installer path that performs MSIX context menu registration, and selection of the context menu component.


Remediation

Install security update from vendor's website.

Sources