NotePad++ dbghelp.exe uncontrolled search path
CVE-2023-6401

7.8HIGH

Key Information:

Vendor: Notepad-plus-plus
Status: NotePad++
Vendor: CVE Published:; 30 November 2023

🔔 Create Notepad-plus-plus Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-6401?

A significant vulnerability has been identified in NotePad++, affecting all versions up to 8.1. This flaw pertains to an unknown functionality within the file dbghelp.exe, which may allow attackers to manipulate the software's search path. Such manipulation could lead to unintended consequences, as the attack must be carried out locally. Despite early notification to the vendor regarding this disclosure, there was no response. It's critical for users to be vigilant and consider potential security implications until a patch is released.

Affected Version(s)

NotePad++ 8.0

NotePad++ 8.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-6401
Created by mekitoci

References

https://vuldb.com/?id.246421

vdb-entry

https://vuldb.com/?ctiid.246421

signaturepermissions-required

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 19, 2025
👾
Exploit known to exist
Jun 19, 2025
Vulnerability published
Nov 30, 2023
Vulnerability Reserved
Nov 30, 2023

Credit

tfhm (VulDB User)