Notepad++ Patches High-Severity RCE Flaws in Version 8.9.6.1

Notepad++ remains one of the most widely deployed text editors on Windows, favored by developers, IT teams, and casual users alike. Its ubiquity makes any security flaw a high‑impact concern, especially when the vulnerability resides in locally stored configuration files that are rarely scrutinized. Over the past year, researchers have highlighted a growing trend: desktop applications that trust unchecked XML or JSON settings become attractive launchpads for command‑injection attacks. The recent disclosures of CVE‑2026‑48778, CVE‑2026‑48770 and CVE‑2026‑48800 underscore how even seemingly benign features—like opening a folder in a command prompt—can be weaponized when input validation is absent.

CVE‑2026‑48778 targets the <GUIConfig name="commandLineInterpreter"> element in Notepad++'s config.xml. By inserting a malicious executable path, an attacker can coerce the "Open Containing Folder in cmd" command to run arbitrary code, demonstrated by a proof‑of‑concept that launched Windows Calculator. Exploitation requires only user‑level write access to %APPDATA%\Notepad++\config.xml, a privilege commonly granted on corporate machines for profile customization. Additional vectors, such as crafted shortcuts or cloud‑synced configuration directories, broaden the attack surface, allowing threat actors to infiltrate trusted workflows without immediate detection.

The release of version 8.9.6.1 mitigates these risks by sanitizing the commandLineInterpreter field and tightening handling of shortcuts.xml. Organizations should deploy the update without delay, enforce least‑privilege permissions on the Notepad++ AppData folder, and monitor configuration files for unexpected changes. This incident also serves as a reminder that desktop software must adopt secure‑by‑design practices, including strict validation of all user‑controlled data, to prevent similar command‑injection scenarios in the future.