Path Traversal Vulnerability in Notepad++ by Notepad++ Team
CVE-2026-52884

7.8HIGH

Key Information:

Vendor: Notepad-plus-plus
Status: Notepad-plus-plus
Vendor: CVE Published:; 26 June 2026

🔔 Create Notepad-plus-plus Vulnerability Alert

What is CVE-2026-52884?

Notepad++ version 8.9.6.1 is susceptible to a path traversal vulnerability due to improper canonicalization of paths in the isInTrustedDirectory() function. This allows attackers to exploit the system by resolving paths to untrusted locations using a prefix-based check, effectively bypassing security measures. The issue is addressed in version 8.9.6.2, where validation is added to ensure that the resolved executable paths reside within a trusted directory before execution.

Affected Version(s)

notepad-plus-plus = 8.9.6.1

References

https://github.com/notepad-plus-plus/notepad-plus-plus/se...

x_refsource_CONFIRM

https://github.com/notepad-plus-plus/notepad-plus-plus/co...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 8, 2026

CVE-2026-52884 Data

JSON