Path traversal in Notepad++ - CVE-2026-52886

 

Path traversal in Notepad++ - CVE-2026-52886

Published: July 14, 2026


Vulnerability identifier: #VU137490
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-52886
CWE-ID: CWE-22
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Notepad++
Affected software:
Notepad++

Detailed vulnerability description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to path traversal in the session.xml backupFilePath attribute validation when restoring a session file in snapshot mode. A local user can inject a crafted traversal path into session.xml to disclose sensitive information.

On the next application launch with snapshot mode active, the target file content is loaded into an editor tab after the operating system resolves parent-directory traversal sequences.


How to mitigate CVE-2026-52886

Install security update from vendor's website.

Sources