CVE-2026-20841 - Vulnerability Details

- Windows Notepad App Remote Code Execution Vulnerability

Description

Improper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code locally.

Published: 2026-02-10

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Windows Notepad contains a command injection weakness (CVE-2026-20841) where special elements in a command are not properly neutralized. This flaw, identified as CWE‑77, permits an attacker who may not be authenticated to run arbitrary commands on the local machine. The impact is the potential for any code to be executed with the permissions of the current user, compromising confidentiality, integrity, or availability of the affected system.

Affected Systems

The vulnerability affects Microsoft Windows Notepad. No specific version ranges are supplied, so any installation of Notepad that has not yet been updated through Microsoft’s security channels could be susceptible.

Risk and Exploitability

The CVSS score of 7.8 indicates that the flaw is high severity, while an EPSS score of less than 1% suggests that the likelihood of exploitation is currently low. The issue is not listed in the CISA KEV catalogue. Attacks would most likely occur in a local context, such as from a malicious document, shortcut, or other user‑initiated action that triggers the vulnerable code path.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Windows Notepad

affected

Version	Status	Constraints
`11.0.0`	affected	< 11.2512

Configuration 1 [-]

cpe:2.3:a:microsoft:windows_notepad:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Microsoft

Windows Notepad

—

Version	Status	Scheme	Platform
`[11.0.0,11.2510)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the Microsoft patch that addresses CVE‑2026‑20841 through Windows Update or the Microsoft Update Catalog
If the update cannot be applied immediately, configure AppLocker or equivalent application whitelisting to block Notepad from executing arbitrary commands until the patch is deployed
Enable automatic updates and monitor Microsoft security bulletins to ensure timely application of future fixes

Generated by OpenCVE AI on April 15, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00121.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
https://news.ycombinator.com/item?id=46971516

History

Wed, 25 Feb 2026 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:microsoft:windows_notepad::::::::

Thu, 12 Feb 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description	Improper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network.	Improper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code locally.
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}`

Wed, 11 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft windows Notepad
Vendors & Products		Microsoft windows Notepad

Wed, 11 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
References		https://news.ycombinator.com/item?id=46971516

Tue, 10 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Improper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network.
Title		Windows Notepad App Remote Code Execution Vulnerability
First Time appeared		Microsoft Microsoft window Notepad
Weaknesses		CWE-77
CPEs		cpe:2.3:a:microsoft:window_notepad::::::::
Vendors & Products		Microsoft Microsoft window Notepad
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft Window Notepad Windows Notepad

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-02-10T17:51:50.412Z

Updated: 2026-04-10T13:21:37.089Z

Reserved: 2025-12-03T05:54:20.376Z

Link: CVE-2026-20841

Vulnrichment

Updated: 2026-02-11T14:53:10.118Z

NVD

Status : Analyzed

Published: 2026-02-10T18:16:22.643

Modified: 2026-02-25T14:32:14.467

Link: CVE-2026-20841

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object