CVE-2026-52884
Analyzed Analyzed - Analysis Complete

Path Traversal in Notepad++ Editor

Vulnerability report for CVE-2026-52884, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a trusted directory prefix passes the check while resolving to an untrusted location. The CVE-2026-48800 patch adds isInTrustedDirectory() validation in Command::run() (RunDlg.cpp) before calling ShellExecute(). This function checks whether the resolved executable path is under a trusted directory. This vulnerability is fixed in 8.9.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-29
Generated
2026-07-17
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
notepad-plus-plus notepad++ 8.9.6.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-42 The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Notepad++ version 8.9.6.1 in the function isInTrustedDirectory(). The function does not canonicalize the path before checking if it is within a trusted directory. Instead, it uses a prefix-based check that matches paths starting with trusted directory strings.

Because of this, an attacker can use path traversal sequences like ..\..\ after a trusted directory prefix to bypass the check. This causes the function to incorrectly consider an untrusted location as trusted.

The vulnerability allows execution of files from untrusted locations while the program believes they are trusted. It was fixed in version 8.9.6.2 by adding validation to ensure the resolved executable path is truly under a trusted directory before execution.

Impact Analysis

This vulnerability can lead to the execution of malicious code from untrusted locations because the path validation is bypassed. An attacker could exploit this to run harmful executables with the privileges of the user running Notepad++.

The CVSS score of 7.8 indicates a high severity impact, including high confidentiality, integrity, and availability impacts.

Mitigation Strategies

The vulnerability is fixed in Notepad++ version 8.9.6.2. To mitigate this vulnerability, you should update Notepad++ to version 8.9.6.2 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52884. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart