Memory Manipulation Issue in Notepad++ Source Code Editor by Notepad++
CVE-2026-48770

5MEDIUM

Key Information:

Vendor: Notepad-plus-plus
Status: Notepad-plus-plus
Vendor: CVE Published:; 26 June 2026

🔔 Create Notepad-plus-plus Vulnerability Alert

What is CVE-2026-48770?

Notepad++ is a widely used free and open-source source code editor. A vulnerability exists in versions prior to 8.9.6.1, allowing a local process within the same interactive Windows session to send a malformed WM_COPYDATA message to Notepad++. This issue arises when the COPYDATASTRUCT.lpData is processed without proper bounds enforcement, enabling potential exploitation through unvalidated data handling. This could lead to various impacts on application behavior and data integrity. Users are advised to update to version 8.9.6.1 or later to mitigate this vulnerability.

Affected Version(s)

notepad-plus-plus < 8.9.6.1

References

https://github.com/notepad-plus-plus/notepad-plus-plus/se...

x_refsource_CONFIRM

https://github.com/notepad-plus-plus/notepad-plus-plus/co...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-48770 Data

JSON