Insufficient verification of data authenticity in Notepad++ - #VU137487

 

Insufficient verification of data authenticity in Notepad++ - #VU137487

Published: July 14, 2026


Vulnerability identifier: #VU137487
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-345
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Notepad++
Affected software:
Notepad++

Detailed vulnerability description

The vulnerability allows a local user to execute commands with elevated privileges.

The vulnerability exists due to insufficient verification of data authenticity in the shortcuts.xml macro processing path when loading an attacker-controlled shortcuts.xml through a settings directory consumed by an elevated Notepad++ instance. A local user can supply a crafted shortcuts.xml containing macros to execute commands with elevated privileges.

Exploitation is conditional on influencing the settings directory used by an elevated Notepad++ process and triggering the macro path.


Remediation

Install security update from vendor's website.

Sources