Notepad++ requires urgent update: hackers swapping configs to run malware

Published: 29 May 2026
Last updated: 1 June 2026
Notepad plus plus affected by the malicious code
Image by Cybernews.
Listen to this article

Notepad++, a popular text and source code editor used by 28 million users, has released emergency patches fixing three critical vulnerabilities that can be exploited to run malware. A simple, crafted shortcut file can trigger an attack.

Key takeaways:
  • Notepad++ released an urgent patch to block malware installation.
  • The exploit is easily triggered by clicking a menu option.
  • Users must update to version 8.9.6.1.

Don Ho, creator and maintainer of Notepad++, fixed three vulnerabilities in version 8.9.6.1. Two of them allow attackers to tamper with the text editor’s configuration files and achieve arbitrary code execution.

ADVERTISEMENT

“Config.xml to ShellExecute. The shortest path I have ever traced from a source to a sink,” said Michele Piccinni, an independent security researcher who discovered the bugs.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Payloads can be injected into two Notepad++ XML files that have no validation, digital signatures, or other checks: config.xml and shortcuts.xml.

Attackers still need to get their hands on the system or trick a user into performing a malicious action themselves. But the exploitation is straightforward – injected payloads will run from XML whenever a user makes a specific action, such as clicking a menu entry.

The advisories list a few potential attack vectors:

  • Attackers with initial access can simply edit the links or setting files directly to run payloads with the user’s privileges, and maintain persistence.
  • Hackers can send a malicious .lnk (shortcut) file that points Notepad++ to open configuration files from an attacker-controlled directory. Double-clicking the shortcut would open a compromised Notepad++ instance.
  • Cloud sync poisoning – attackers can compromise one of the accounts and push poisoned settings files down to a user's machine
  • Malicious archives or installers, sneaking in bad configs, often via social engineering.

The two bugs are tracked as CVE-2026-48778 and CVE-2026-48800, and both have a severity rating of 7.8 out of 10.

The advisories further detail that the config.xml exploit triggers when users click File → Open Containing Folder → cmd. The payloads from shortcuts.xml trigger via injected menu entries.

ADVERTISEMENT

The third patched Notepad++ bug is the least severe, but it can cause the program to crash reliably if any local process sends a malformed message.

The fix is out, and users are advised to update Notepad++ to v8.9.6.1 or later versions.

Notepad++ has been a target before. Earlier this year, suspected Chinese state-sponsored hackers hijacked the app’s update system to infect selected users with malware that ran undetected for months.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT