TL;DR
Notepad++ v8.9.7 fixes five security flaws in the popular Windows editor. Technical details and proof-of-concept exploit code for all five Notepad++ vulnerabilities are public in the project’s GitHub security advisories. Three carry CVE IDs: CVE-2026-52886, CVE-2026-54758, and CVE-2026-57233. No in-the-wild exploitation has been confirmed so far.
Why It Matters
Notepad++ ships on millions of developer and admin desktops. Public exploit code removes the research effort attackers would otherwise need. Moreover, two of these flaws lead to code execution inside the Notepad++ process. Another exposes SSH keys and .env files to read-only theft. The window between disclosure and abuse is therefore short.
How the Attacks Work
CVE-2026-52886: session.xml Path Traversal
Notepad++ validates the backupFilePath attribute with a raw string prefix check. That check skips path normalisation, so traversal sequences slip through. On the next launch in snapshot mode, the editor loads the targeted file into a tab.
CVE-2026-57233: Zip Slip in WinGup
WinGup’s plugin extraction does not confirm that paths stay inside the destination folder. Consequently, a crafted plugin package can overwrite another plugin’s DLL. Loading that DLL runs attacker code.
CVE-2026-54758: Stack Buffer Overflow
A missing bounds check in expandNppEnvironmentStrs overflows a fixed stack buffer. The /GS stack canary catches the corruption, so the practical impact is a crash.
Two Flaws Awaiting CVE IDs
A shortcuts.xml macro HMAC bypass and an install-time PowerShell command injection round out the release. Both have published details and PoC code, but no assigned CVE yet.
Affected Versions
The flaws affect current Notepad++ builds, including 8.9.6.4. Version 8.9.7 contains every fix.
Patch and Mitigation Steps
Download Notepad++ v8.9.7 and update right away. Portable-install users should act first, since session.xml write access enables the traversal attack. In addition, install plugins only from trusted sources. Each write-up sits in the project’s GitHub security advisories, and the maintainers summarise every fix in the v8.9.7 release announcement.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.