- Notepad++ v8.9.6.1 fixes two critical vulnerabilities affecting Windows 11 (and 10) users.
- Attackers could exploit config.xml and shortcuts.xml to trigger arbitrary code execution.
- The flaws rely on tampered configuration files stored in the Windows AppData directory.
Notepad++ has released an urgent security update after researchers uncovered two critical vulnerabilities that could allow arbitrary code execution on Windows 11 (and 10) devices through tampered configuration files. The fixes are included in version 8.9.6.1, released on May 26, 2026.
The most severe flaw, CVE-2026-48778, affects the config.xml file. Researchers found that Notepad++ failed to validate a command-line interpreter value before passing it to Windows 11 (or Windows 10) through ShellExecute(). This allowed attackers to potentially trigger malicious executables when users used the “Open Containing Folder” option inside the app.
A second issue, CVE-2026-48800, follows a similar pattern but targets shortcuts.xml. A third vulnerability could cause the app to crash due to malformed XML structures.
The risk is increased by the way Notepad++ stores settings in the AppData directory. If an attacker gains access through malware, cloud sync poisoning, or social engineering, they can quietly modify configuration files without user awareness.
This update also lands after previous security concerns involving Notepad++. Earlier this year, the project addressed a supply-chain-style compromise where attackers hijacked parts of the update infrastructure and delivered malicious installers to targeted users. While unrelated to the new CVEs, it reinforces how Notepad++’s trust boundaries and update mechanisms have become a recurring focus for attackers.
For a tool used daily by developers, network administrators, and power users, that combination of local configuration execution and past update-chain abuse makes these flaws more than theoretical.
Users running Notepad++ 8.9.6 or earlier should update to 8.9.6.1 immediately.
Pureinfotech’s take
I see this less as a one-off bug fix and more as another reminder that “simple” desktop tools can carry real security weight. Notepad++ sits deep in developer workflows and Windows shell behavior, which is exactly why it keeps showing up in security research discussions.
Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 22 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.
Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.
Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.
You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].
