Path traversal in Notepad++ - CVE-2026-57233
Published: July 14, 2026
Notepad++
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to path traversal in WinGup decompress() plugin extraction routine when extracting a crafted plugin zip archive. A local user can supply a specially crafted archive with traversal sequences to execute arbitrary code.
Code execution occurs when Notepad++ later loads the overwritten plugin DLL.