Description
Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installation contextMenu directory. If an attacker can pre-place a malicious powershell.exe in a user-writable custom installation directory, and a privileged user later runs the installer and selects that directory, the attacker-controlled executable is launched with the elevated privileges of the installer. This vulnerability is fixed in 8.9.6.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a local attacker who can place a malicious powershell.exe in a user‑writable custom installation directory to coerce the Notepad++ installer into executing that file with the elevated privileges of the installer itself. Because the installer resolves powershell.exe via the current working directory rather than a full path, the malicious executable can be launched without the user's awareness, granting the attacker full administrative rights on the affected machine. The weakness is classified as CWE-426, Insecure Library or Package Dependency.

Affected Systems

Notepad++ versions 8.9.4 and 8.9.5 are affected. The issue is resolved in version 8.9.6, which can be safely installed on systems that previously ran the vulnerable releases.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity with full control of the system as the attacker’s objective. EPSS data is not available, but the vulnerability’s nature means that exploitation is straightforward for an attacker who can influence the installation process on a device with administrative rights. The vulnerability is not currently listed in the CISA KEV catalog, and no public exploits are known, yet the vector requires local presence and privileged installation, a typical scenario in many enterprises. Monitoring user‑ writable installation paths and deploying the public fix are the most effective mitigation strategies.

Generated by OpenCVE AI on June 26, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Notepad++ 8.9.6 or later to eliminate the vulnerability
  • Restrict write permission to the custom installation directory so that only trusted administrators can place files there
  • Avoid running the Notepad++ installer with elevated privileges unless the installation directory is known to be safe

Generated by OpenCVE AI on June 26, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installation contextMenu directory. If an attacker can pre-place a malicious powershell.exe in a user-writable custom installation directory, and a privileged user later runs the installer and selects that directory, the attacker-controlled executable is launched with the elevated privileges of the installer. This vulnerability is fixed in 8.9.6.
Title Notepad++: Privilege Escalation in the Installer via Uncontrolled Executable Search Path
Weaknesses CWE-426
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T20:16:16.022Z

Reserved: 2026-05-15T23:26:58.309Z

Link: CVE-2026-46710

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:30:04Z

Weaknesses