Unsafe Search Path Vulnerability in Notepad++ by Notepad++ Team
CVE-2026-25926

7.3HIGH

Key Information:

Vendor

Notepad-plus-plus

Status
Notepad-plus-plus
Vendor
CVE Published:
18 February 2026

What is CVE-2026-25926?

Notepad++, a popular open-source source code editor, has an Unsafe Search Path vulnerability that affects versions prior to 8.9.2. This vulnerability can occur when launching Windows Explorer without specifying an absolute executable path. If an attacker is able to manipulate the process working directory, it may enable the execution of a malicious explorer.exe, potentially leading to arbitrary code execution within the context of the running application. This underscores the importance of upgrading to version 8.9.2 or later, where this security flaw has been addressed.

Affected Version(s)

notepad-plus-plus < 8.9.2

References

https://github.com/notepad-plus-plus/notepad-plus-plus/se...
x_refsource_CONFIRM
https://github.com/notepad-plus-plus/notepad-plus-plus/re...
x_refsource_MISC
https://notepad-plus-plus.org/news/v892-released
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.