Notepad++ path traversal bypass can execute commands without a prompt (CVE-2026-52884)

A new GitHub Security Advisory describes a high‑severity issue in Notepad++ that enables arbitrary code execution without the usual safety prompt. Tracked as CVE-2026-52884 and rated High (CVSS 7.8), the flaw is tied to a path traversal and improper link resolution problem that can bypass an earlier mitigation for CVE-2026-48800.

Why it matters: Notepad++ is widely used on Windows, and its configuration files (such as shortcuts.xml) live under user-writable locations. If those files are tampered with or loaded from an attacker-controlled directory, the editor can be steered to launch programs without presenting its expected confirmation dialog.

What the advisory says

According to the advisory, Notepad++ previously added a check before invoking external commands: it verified whether a resolved executable path was inside a small set of trusted directories (for example, Windows and Program Files). The new report shows that this check did not canonicalize the path before comparing it, relying instead on a prefix-style match. As a result, adding directory traversal elements after a trusted prefix could make an unsafe path appear trusted during validation while ultimately resolving outside the trusted locations.

The advisory also notes a separate vector: using a trusted binary (such as cmd.exe) as a launcher to execute other commands, again skipping the editor’s security dialog. Together, these behaviors allow arbitrary code execution without the user-confirmation prompt that Notepad++ aims to provide.

The issue is documented under CWE-42 (Path Traversal) and CWE-59 (Improper Link Resolution). The advisory states the following CVSS v3.1 metrics: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

How attackers could attempt to exploit it

The advisory outlines several realistic scenarios that rely on influencing where Notepad++ loads its configuration from or what it contains:

• Direct modification of the user’s shortcuts.xml. Any process running as the same user that can write this file could insert a malicious command that Notepad++ will execute without the usual warning dialog.
• A malicious shortcut (.lnk) using the -settingsDir switch. Launching Notepad++ via a crafted .lnk can point the editor to a configuration directory controlled by an attacker; a booby-trapped shortcuts.xml there can trigger command execution without a prompt.
• Cloud sync poisoning. If the %APPDATA%\Notepad++ directory is synchronized via a cloud service and an attacker gains access to that storage, they could inject a malicious shortcuts.xml that the editor later consumes.
• Trusted launcher chain. Because certain Windows utilities reside in trusted directories, using them as launchers (for example, invoking cmd.exe to start another program) can bypass the dialog as well.

Notably, the advisory describes tests on Notepad++ v8.9.6.1 and characterizes the impact as “arbitrary code execution without user confirmation.” One example scenario mentions execution after invoking a mapped command. The degree to which execution can occur automatically in all cases is not fully clear from the excerpted material.

Patch status and uncertainty

The advisory references a patch commit (ea15088). However, the snippet does not clearly indicate which public release, if any, contains a complete fix for CVE-2026-52884. It also states that the bypass was observed on v8.9.6.1, which was the “latest patched version” for the earlier CVE-2026-48800. Users should monitor the advisory page for definitive fix status and update guidance.

Advisory link: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-p58x-r3c9-x9p6

Credits listed by the advisory include Michele Piccinni, Trung Nguyen, Noman Nasir Minhas (@NomanNasirMinhas), and Vibhum Dubey.

Practical steps to reduce exposure

Based on the attack paths described in the advisory, a cautious approach includes:

• Treat shortcuts.xml as sensitive. Review it for unexpected commands or paths, and avoid accepting versions from untrusted sources.
• Be careful with .lnk files that launch Notepad++ with -settingsDir. Only use shortcuts you created or obtained from trusted administrators.
• If you sync %APPDATA%\Notepad++, ensure only trusted parties can modify those files in the cloud. Consider pausing sync for the Notepad++ profile if you cannot guarantee integrity.
• Keep Notepad++ updated and watch the advisory page for a release that fully addresses CVE-2026-52884 (for example, by canonicalizing paths before trust checks).

Limits and context

• The CVSS vector indicates a local attack (AV:L) requiring some level of access (PR:L). In practice, an attacker must be able to modify the user’s configuration or control where Notepad++ loads it from.
• “Without user confirmation” here refers to bypassing Notepad++’s warning dialog, not necessarily implying zero user interaction in every scenario. Some examples involve invoking a mapped command.
• Details beyond the advisory excerpt—such as exact fixed versions and comprehensive remediation steps—were not available at the time of writing.

Bottom line

CVE-2026-52884 shows how trust checks can fail if paths aren’t canonicalized before validation. Until a confirmed fixed release is published, handle Notepad++ configuration files cautiously, avoid untrusted launch shortcuts, and keep an eye on the official advisory for updates.

Alex Mira

Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.