CVE-2026-48778 - Vulnerability Details

Description

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signature check. When the user triggers IDM_FILE_OPEN_CMD (File → Open Containing Folder → cmd), NppCommands.cpp:228 creates a Command object with this value and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. This vulnerability is fixed in 8.9.6.1.

Published: 2026-06-26

Score: 7.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Notepad++ 8.9.6.1 and earlier read the <GUIConfig name="commandLineInterpreter"> entry from config.xml without any validation, allowing a malicious string to be executed as a program path. The absence of a whitelist or signature check turns this configuration value into an OS command injection point (CWE‑78). An attacker who can modify or supply a config.xml file can cause Notepad++ to launch arbitrary code when a user chooses File → Open Containing Folder → cmd, effectively enabling execution of arbitrary programs on the victim’s machine.

Affected Systems

The vulnerability affects the Notepad++ source code editor, specifically releases prior to version 8.9.6.1. All users running these earlier versions on any operating system where Notepad++ is installed are potentially exposed.

Risk and Exploitability

Based on the description, the CVSS score of 7.8 indicates high severity. The vulnerability is not listed in the CISA KEV catalog, and no EPSS score is available. The path to exploitation appears to require a local user or process that can modify or replace the config.xml file and then trigger the file-open command, demonstrating a local attack vector. The insecure value limits the command execution to the scope of the user running Notepad++. Because of the local nature and lack of remote access, this is unlikely to be exploited remotely, but any local user with write access to config.xml can execute arbitrary programs. This combination of a high CVSS score, a local execution path, and no current exploitation evidence suggests a significant risk to affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

notepad-plus-plus

affected

Version	Status	Constraints
`< 8.9.6.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Notepad++ to version 8.9.6.1 or later to fix the commandLineInterpreter validation issue.
If an upgrade is not immediately possible, edit or remove the <GUIConfig name="commandLineInterpreter"> entry from config.xml to prevent the application from executing arbitrary strings.
Restrict write permissions for config.xml to only the Notepad++ installer or privileged users so that regular users cannot alter the commandLineInterpreter value.

Generated by OpenCVE AI on June 26, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/24c7b5c63cece76dbc8c4f2607a27ebfe22fa614
https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9

History

Fri, 26 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signature check. When the user triggers IDM_FILE_OPEN_CMD (File → Open Containing Folder → cmd), NppCommands.cpp:228 creates a Command object with this value and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. This vulnerability is fixed in 8.9.6.1.
Title		Notepad++: Arbitrary Code Execution via config.xml commandLineInterpreter
Weaknesses		CWE-78
References		https://github.com/notepad-plus-plus/notepad-plus-plus/commit/24c7b5c63cece76dbc8c4f2607a27ebfe22fa614 https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T20:21:17.254Z

Updated: 2026-06-26T20:21:17.254Z

Reserved: 2026-05-22T20:18:20.365Z

Link: CVE-2026-48778

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T23:00:09Z

Weaknesses

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object