Description
Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a trusted directory prefix passes the check while resolving to an untrusted location. The CVE-2026-48800 patch adds isInTrustedDirectory() validation in Command::run() (RunDlg.cpp) before calling ShellExecute(). This function checks whether the resolved executable path is under a trusted directory. This vulnerability is fixed in 8.9.6.2.
Published: 2026-06-26
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerable function isInTrustedDirectory in Notepad++ 8.9.6.1 fails to canonicalize the path before performing a prefix-based check. Because the check only compares the beginning of the path string, a crafted path that begins with a trusted directory followed by ..\\..\\ to an outside location passes the check. The application then calls ShellExecute on that path, allowing an attacker to run an arbitrary executable located outside of the trusted directories. If the user launches the crafted path through the Run dialog, the payload executes with the same privileges as Notepad++, potentially enabling data theft, tampering, or further lateral movement.

Affected Systems

Vendor Notepad++ (notepad-plus-plus) is affected. The vulnerable release is version 8.9.6.1. The patch that introduces path canonicalization is included in version 8.9.6.2. No other versions or platforms are listed in the CVE data.

Risk and Exploitability

The CVSS score of 7.8 classifies this flaw as high severity, and the EPSS score is not available. Based on the description, the lack of a canonically checked path provides a realistic attack surface, and the likely attack vector is local: an attacker crafts a file name that uses the suffix traversal trick and leverages the Run command or a similar feature that invokes ShellExecute. Since the flaw depends on user‑initiated execution of the path, it requires user interaction but offers high impact if triggered. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 26, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Notepad++ to version 8.9.6.2 or later, which adds canonical path validation before calling ShellExecute.
  • If an update is not immediately available, disable or restrict the Run command in Notepad++ or modify the config to prevent execution of external binaries.
  • Ensure that no untrusted executables reside in paths that can be accessed via the Run dialog and consider applying system‑wide application whitelisting to block unexpected executable launches.

Generated by OpenCVE AI on June 26, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a trusted directory prefix passes the check while resolving to an untrusted location. The CVE-2026-48800 patch adds isInTrustedDirectory() validation in Command::run() (RunDlg.cpp) before calling ShellExecute(). This function checks whether the resolved executable path is under a trusted directory. This vulnerability is fixed in 8.9.6.2.
Title Notepad++: CVE-2026-48800 Bypass
Weaknesses CWE-42
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T20:11:40.227Z

Reserved: 2026-06-08T21:44:27.365Z

Link: CVE-2026-52884

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:15:08Z

Weaknesses
  • CWE-42

    Path Equivalence: 'filename.' (Trailing Dot)