CVE-2026-52884
Received Received - Intake
Path Traversal in Notepad++ Editor

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a trusted directory prefix passes the check while resolving to an untrusted location. The CVE-2026-48800 patch adds isInTrustedDirectory() validation in Command::run() (RunDlg.cpp) before calling ShellExecute(). This function checks whether the resolved executable path is under a trusted directory. This vulnerability is fixed in 8.9.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-52884
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
notepad++ notepad++ 8.9.6.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-42 The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Notepad++ version 8.9.6.1 in the function isInTrustedDirectory(). The function does not canonicalize the path before checking if it is within a trusted directory. Instead, it uses a prefix-based check that matches paths starting with trusted directory strings.

Because of this, an attacker can use path traversal sequences like ..\..\ after a trusted directory prefix to bypass the check. This causes the function to incorrectly consider an untrusted location as trusted.

The vulnerability allows execution of files from untrusted locations while the program believes they are trusted. It was fixed in version 8.9.6.2 by adding validation to ensure the resolved executable path is truly under a trusted directory before execution.

Impact Analysis

This vulnerability can lead to the execution of malicious code from untrusted locations because the path validation is bypassed. An attacker could exploit this to run harmful executables with the privileges of the user running Notepad++.

The CVSS score of 7.8 indicates a high severity impact, including high confidentiality, integrity, and availability impacts.

Mitigation Strategies

The vulnerability is fixed in Notepad++ version 8.9.6.2. To mitigate this vulnerability, you should update Notepad++ to version 8.9.6.2 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52884. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart