CVE-2026-52885
Analyzed Analyzed - Analysis Complete

Time-of-Check Time-of-Use in Notepad++ Shortcuts

Vulnerability report for CVE-2026-52885, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-memory _userCommands vector, which is populated at application startup and never re-synchronized with the on-disk file (Time-of-Use). Swapping shortcuts.xml between startup and command execution causes the HMAC check to validate a clean file while a malicious command runs. An attacker with write access to shortcuts.xml places a malicious version on disk before launch, then immediately restores the legitimate file. The HMAC check at execution time validates the restored legitimate file (check passes), while the malicious payload executes from memory. This vulnerability is fixed in 8.9.6.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-29
Generated
2026-07-17
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
notepad-plus-plus notepad++ to 8.9.6.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Notepad++ versions prior to 8.9.6.4. It involves a time-of-check to time-of-use (TOCTOU) flaw in how the application verifies user commands stored in the shortcuts.xml file. At startup, Notepad++ loads user commands from shortcuts.xml into memory. When a command is executed, the application checks the HMAC of the on-disk shortcuts.xml file to ensure integrity. However, the in-memory commands are not re-synchronized with the file after startup.

An attacker with write access to shortcuts.xml can exploit this by placing a malicious shortcuts.xml file on disk before the application starts, then immediately restoring the legitimate file. The HMAC check at command execution validates the restored legitimate file, but the malicious commands loaded in memory at startup are executed, bypassing the integrity check.

Impact Analysis

This vulnerability allows an attacker with write access to the shortcuts.xml file to execute malicious commands within Notepad++ without detection by the application's integrity checks. This could lead to unauthorized code execution or other malicious actions performed under the context of the user running Notepad++. The attacker can bypass security mechanisms that rely on verifying the integrity of the shortcuts.xml file.

Mitigation Strategies

To mitigate this vulnerability, update Notepad++ to version 8.9.6.4 or later, where the issue has been fixed.

Additionally, restrict write access to the shortcuts.xml file to prevent attackers from placing malicious versions before application startup.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52885. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart