Time-of-Check to Time-of-Use Issue in Notepad++ Affects User Command Safety
CVE-2026-52885

7.5HIGH

Key Information:

Vendor: Notepad-plus-plus
Status: Notepad-plus-plus
Vendor: CVE Published:; 26 June 2026

🔔 Create Notepad-plus-plus Vulnerability Alert

What is CVE-2026-52885?

A vulnerability in Notepad++ prior to version 8.9.6.4 allows an attacker to exploit the time-of-check to time-of-use (TOCTOU) flaw in the handling of user command shortcuts. The application checks the HMAC of the 'shortcuts.xml' file when a command is executed, but this check is based on an in-memory version created at startup, which remains unsynchronized with the disk version. An attacker with write access can replace 'shortcuts.xml' with a malicious version between the time of application launch and command execution. Consequently, the HMAC validation passes for the legitimate file, while a harmful command executes from memory, compromising user security.

Affected Version(s)

notepad-plus-plus < 8.9.6.4

References

https://github.com/notepad-plus-plus/notepad-plus-plus/se...

x_refsource_CONFIRM

https://github.com/notepad-plus-plus/notepad-plus-plus/co...

x_refsource_MISC

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 8, 2026

CVE-2026-52885 Data

JSON