CVE-2026-52885
Received Received - Intake
Time-of-Check Time-of-Use in Notepad++ Shortcuts

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-memory _userCommands vector, which is populated at application startup and never re-synchronized with the on-disk file (Time-of-Use). Swapping shortcuts.xml between startup and command execution causes the HMAC check to validate a clean file while a malicious command runs. An attacker with write access to shortcuts.xml places a malicious version on disk before launch, then immediately restores the legitimate file. The HMAC check at execution time validates the restored legitimate file (check passes), while the malicious payload executes from memory. This vulnerability is fixed in 8.9.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-52885
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
notepad++ notepad++ 8.9.6.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Notepad++ versions prior to 8.9.6.4. It involves a time-of-check to time-of-use (TOCTOU) flaw in how the application verifies user commands stored in the shortcuts.xml file. At startup, Notepad++ loads user commands from shortcuts.xml into memory. When a command is executed, the application checks the HMAC of the on-disk shortcuts.xml file to ensure integrity. However, the in-memory commands are not re-synchronized with the file after startup.

An attacker with write access to shortcuts.xml can exploit this by placing a malicious shortcuts.xml file on disk before the application starts, then immediately restoring the legitimate file. The HMAC check at command execution validates the restored legitimate file, but the malicious commands loaded in memory at startup are executed, bypassing the integrity check.

Impact Analysis

This vulnerability allows an attacker with write access to the shortcuts.xml file to execute malicious commands within Notepad++ without detection by the application's integrity checks. This could lead to unauthorized code execution or other malicious actions performed under the context of the user running Notepad++. The attacker can bypass security mechanisms that rely on verifying the integrity of the shortcuts.xml file.

Mitigation Strategies

To mitigate this vulnerability, update Notepad++ to version 8.9.6.4 or later, where the issue has been fixed.

Additionally, restrict write access to the shortcuts.xml file to prevent attackers from placing malicious versions before application startup.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52885. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart