Description
Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application. Version 8.9.2 patches the issue.
Published: 2026-02-18
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Apply Patch
AI Analysis

Impact

An unsafe search path flaw (CWE-426) exists in Notepad++ versions earlier than 8.9.2. When launching Windows Explorer without specifying an absolute executable path, the application may execute a malicious explorer.exe if an attacker can control the process working directory. This can result in arbitrary code execution within the context of the running Notepad++ process, jeopardizing the confidentiality and integrity of user data.

Affected Systems

The vulnerability affects Notepad++ for Windows released before version 8.9.2. All earlier editions are susceptible because they do not validate the path used to invoke explorer.exe.

Risk and Exploitability

The CVSS score of 7.3 indicates a medium‑high risk, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The risk is not currently listed in the CISA KEV catalog. Likely attack conditions require the attacker to have local access or influence over the working directory used by Notepad++; once that is achieved, launching the editor can trigger execution of a malicious explorer.exe. The threat is most pronounced for users running older builds on shared or multi‑user systems where directory contents may be manipulated.

Generated by OpenCVE AI on April 17, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Notepad++ 8.9.2 or later to apply the fixed version that validates the executable path.
  • If upgrading is not immediately possible, ensure that the directory from which Notepad++ runs does not contain untrusted executables and that the system’s working directory is strictly controlled.
  • Regularly verify that explorer.exe in the working environment is the legitimate Windows binary using digital signature checks, and monitor for unexpected changes.

Generated by OpenCVE AI on April 17, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Notepad-plus-plus notepad\+\+
CPEs cpe:2.3:a:notepad-plus-plus:notepad\+\+:*:*:*:*:*:*:*:*
Vendors & Products Notepad-plus-plus notepad\+\+

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Notepad-plus-plus
Notepad-plus-plus notepad++
Vendors & Products Notepad-plus-plus
Notepad-plus-plus notepad++

Wed, 18 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application. Version 8.9.2 patches the issue.
Title Notepad++ has an Untrusted Search Path
Weaknesses CWE-426
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Notepad-plus-plus Notepad++ Notepad\+\+
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T17:45:27.028Z

Reserved: 2026-02-09T16:22:17.785Z

Link: CVE-2026-25926

cve-icon Vulnrichment

Updated: 2026-02-19T17:07:33.898Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T00:16:21.787

Modified: 2026-02-19T18:32:34.863

Link: CVE-2026-25926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses