Command Injection Vulnerability in Notepad++ Source Code Editor
CVE-2026-48800

7.8HIGH

Key Information:

Vendor: Notepad-plus-plus
Status: Notepad-plus-plus
Vendor: CVE Published:; 26 June 2026

🔔 Create Notepad-plus-plus Vulnerability Alert

What is CVE-2026-48800?

Notepad++, a widely used open-source code editor, is vulnerable to a command injection flaw where user-defined commands in shortcuts.xml can be exploited. The underlying issue arises because the tag content is processed without proper validation, allowing an attacker to inject malicious commands. When a user activates a menu item, the malicious command is executed, posing a significant security threat. This vulnerability has been addressed in Notepad++ version 8.9.6.1, which is crucial for users to update to mitigate potential risks.

Affected Version(s)

notepad-plus-plus < 8.9.6.1

References

https://github.com/notepad-plus-plus/notepad-plus-plus/se...

x_refsource_CONFIRM

https://github.com/notepad-plus-plus/notepad-plus-plus/co...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-48800 Data

JSON