CVE-2026-48800
Analyzed Analyzed - Analysis Complete

Command Injection in Notepad++ via Malicious Shortcuts

Vulnerability report for CVE-2026-48800, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:3658) in the feedUserCmds() function and stored in UserCommand._cmd without any validation. When the user clicks the corresponding entry in the Run menu, NppCommands.cpp:4264 creates a Command object with string2wstring(ucmd.getCmd()) and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. The injected command appears as a normal menu item in the Run menu, making it a viable persistence mechanism. This vulnerability is fixed in 8.9.6.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-30
Generated
2026-07-17
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
notepad-plus-plus notepad++ to 8.9.6.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Notepad++ versions prior to 8.9.6.1. It involves the way the application processes the <Command> tag inside <UserDefinedCommands> in the shortcuts.xml file. The text content of this tag is read and stored without any validation. When a user clicks the corresponding entry in the Run menu, the application executes the attacker-controlled command string as an executable path via ShellExecute. This means an attacker can inject malicious commands that appear as normal menu items, providing a persistence mechanism within the application.

Detection Guidance

This vulnerability involves malicious commands injected into the <Command> tag inside <UserDefinedCommands> in the shortcuts.xml file of Notepad++ prior to version 8.9.6.1. Detection involves inspecting the shortcuts.xml file for unexpected or suspicious entries under <UserDefinedCommands>.

Since the injected commands appear as normal menu items in the Run menu, reviewing the shortcuts.xml file manually or via scripts can help identify unauthorized commands.

A suggested approach is to search for the shortcuts.xml file in the Notepad++ configuration directory and examine the <UserDefinedCommands> section for suspicious commands.

  • On Windows, locate the shortcuts.xml file typically found in %APPDATA%\Notepad++\shortcuts.xml.
  • Use a command like: findstr /I /C:"<UserDefinedCommands>" %APPDATA%\Notepad++\shortcuts.xml to locate the section.
  • Use a text editor or command-line tools (e.g., PowerShell) to search for suspicious or unexpected commands within the <Command> tags.

Network detection is less applicable since the vulnerability is local and triggered by user interaction with the Run menu in Notepad++. Monitoring for unexpected process executions of commands originating from Notepad++ could be a complementary detection method.

Impact Analysis

The vulnerability can lead to high impact consequences including unauthorized code execution with high confidentiality, integrity, and availability impact. An attacker can inject and execute arbitrary commands when a user selects the malicious menu item, potentially leading to system compromise, data loss, or other malicious activities. Since the injected command appears as a normal menu item, it can persist and be triggered repeatedly.

Mitigation Strategies

The vulnerability is fixed in Notepad++ version 8.9.6.1. Immediate mitigation involves updating Notepad++ to version 8.9.6.1 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart