The Windows 11 Notepad app, recently upgraded with AI features, now carries a high-severity flaw that exposes users to dangerous attacks. Hackers can simply send boobytrapped text files and remotely compromise users with a single click.
A newly disclosed vulnerability reignited criticism of Microsoft’s recent expansion into AI-powered and online features.
“The new AI-powered Notepad on Windows 11 was found to have a Remote Code Execution zero-day. Hot take: text editors don’t need network functionality,” malware researchers vx-underground posted on X.
This feeling is shared by many other experts and users, who complain that Microsoft itself forced features on Notepad users without asking whether anyone wanted them.
Manel Rodero, a computer engineer at the Polytechnic University of Catalonia, is another who complains that “Microsoft is turning Notepad into a slow, feature-heavy mess we don't need.”
“We just want something to open text files, not an AI-powered editor with security holes like this. Who the hell is in charge of this development?” Rodero’s post reads.
“Well, a new feature just dropped,” yet another X user mocked the discovered remote code execution vulnerability.
According to Microsoft’s security advisory, hackers can trick Windows users into clicking a malicious link inside a Markdown file, a text-based document, opened by default by the Notepad app on most Windows systems, unless the user specifies another app.
This would then cause Notepad to launch unverified protocols that load and execute remote files.
Microsoft warns that a single click could execute malicious remote code with the same permissions as the user.
The Cybernews community is talking about this. Be a part of the conversation.
“Improper neutralization of special elements used in a command (‘command injection’) in Windows Notepad App allows an unauthorized attacker to execute code over a network,” the advisor reads.
Microsoft itself acknowledges that potential attacks are low in complexity, require no additional privileges, but would grant attackers access to highly sensitive data.
The flaw, labeled CVE-2026-20841, has a severity rating of 8.8 out of 10. Microsoft patched it as part of its monthly security updates, known as Patch Tuesday. Microsoft has also released fixes for six new zero-day vulnerabilities actively exploited in the wild, along with 50 other security updates.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked