Update Integrity Verification Vulnerability in Notepad++ by Notepad++
CVE-2025-15556

7.7HIGH

Key Information:

Vendor

Notepad-plus-plus

Status
Notepad-plus-plus
Vendor
CVE Published:
3 February 2026

What is CVE-2025-15556?

Notepad++ versions prior to 8.8.9, when utilizing the WinGUp updater, exhibit a significant vulnerability where the integrity of update metadata and installers is not subjected to cryptographic verification. This flaw allows an attacker to intercept or alter update traffic, leading to the potential for malicious installers to be downloaded and executed. Consequently, this may result in arbitrary code execution under the privileges of the user, posing a serious security risk to affected systems.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

notepad-plus-plus 0 < 8.8.9

References

https://community.notepad-plus-plus.org/topic/27298/notep...
release-notespatch
https://notepad-plus-plus.org/news/hijacked-incident-info...
vendor-advisory
https://github.com/notepad-plus-plus/notepad-plus-plus/co...
patch

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.