CVE-2026-52885 - Vulnerability Details

Description

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-memory _userCommands vector, which is populated at application startup and never re-synchronized with the on-disk file (Time-of-Use). Swapping shortcuts.xml between startup and command execution causes the HMAC check to validate a clean file while a malicious command runs. An attacker with write access to shortcuts.xml places a malicious version on disk before launch, then immediately restores the legitimate file. The HMAC check at execution time validates the restored legitimate file (check passes), while the malicious payload executes from memory. This vulnerability is fixed in 8.9.6.4.

Published: 2026-06-26

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Notepad++ performs a time‑of‑check by verifying the HMAC of the shortcuts.xml file at the moment a user command is fired, but the command payload is taken from an in‑memory vector that is never refreshed. An attacker who can temporarily replace shortcuts.xml with a malicious version before the command runs can cause the HMAC check to validate the legitimate file after it is restored, while the malicious command remains in memory and is executed. This flaw allows the attacker to run arbitrary local commands with the privileges of the Notepad++ process.

Affected Systems

Versions of Notepad++ before 8.9.6.4 are affected, as the vulnerability is fixed in 8.9.6.4. The flaw exists in the Windows build of the application.

Risk and Exploitability

The CVSS score of 7.5 indicates a high‑severity vulnerability. Because EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, the probability of immediate exploitation is not quantified, but the attack can be performed if an attacker can write to shortcuts.xml and then launch Notepad++. A file‑system race is required, so denial of service or other side effects are not directly feasible, but local code execution with the user’s privileges can occur if successful.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

notepad-plus-plus

affected

Version	Status	Constraints
`< 8.9.6.4`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Notepad++ version 8.9.6.4 or later to eliminate the race condition
Restrict write permissions to the shortcuts.xml file so that only trusted users can modify it
Monitor the shortcuts.xml file for unauthorized changes and review event logs for suspicious activity

Generated by OpenCVE AI on June 26, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/4f7563c7c7f8ffa0d795ec86a7777067c7d644b5
https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-qm4c-qg8p-qfcr

History

Fri, 26 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-memory _userCommands vector, which is populated at application startup and never re-synchronized with the on-disk file (Time-of-Use). Swapping shortcuts.xml between startup and command execution causes the HMAC check to validate a clean file while a malicious command runs. An attacker with write access to shortcuts.xml places a malicious version on disk before launch, then immediately restores the legitimate file. The HMAC check at execution time validates the restored legitimate file (check passes), while the malicious payload executes from memory. This vulnerability is fixed in 8.9.6.4.
Title		Notepad++ TOCTOU: HMAC Checks Disk, Executes from Memory
Weaknesses		CWE-367
References		https://github.com/notepad-plus-plus/notepad-plus-plus/commit/4f7563c7c7f8ffa0d795ec86a7777067c7d644b5 https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-qm4c-qg8p-qfcr
Metrics		cvssV4_0 `{'score': 7.5, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T20:19:04.456Z

Updated: 2026-06-26T20:19:04.456Z

Reserved: 2026-06-08T21:44:27.365Z

Link: CVE-2026-52885

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses

CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object