Login Sign Up

CVE-2026-25926

7.3 HIGH

📋 TL;DR

Notepad++ versions before 8.9.2 have an unsafe search path vulnerability when launching Windows Explorer. This could allow an attacker to execute malicious code by placing a fake explorer.exe in a controlled directory, potentially leading to arbitrary code execution with the same privileges as the Notepad++ user.

💻 Affected Systems

Products:
  • Notepad++
Versions: All versions prior to 8.9.2
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Windows environment and user interaction to trigger Windows Explorer launch from Notepad++.

📦 What is this software?

Notepad\+\+ by Notepad Plus Plus

View all CVEs affecting Notepad\+\+ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with the privileges of the Notepad++ user, potentially leading to lateral movement or persistence.

🟠

Likely Case

Local privilege escalation or execution of malicious payloads if an attacker can control the working directory.

🟢

If Mitigated

Limited impact due to user privilege restrictions and lack of attacker-controlled directories.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring user interaction or local access.
🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or through lateral movement in compromised environments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to control the process working directory or place malicious explorer.exe in a directory that will be searched before the legitimate Windows directory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.9.2

Vendor Advisory: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-rjvm-fcxw-2jxq

Restart Required: Yes

Instructions:

1. Download Notepad++ 8.9.2 or later from https://notepad-plus-plus.org/downloads/ 2. Run the installer 3. Restart Notepad++ if already running

🔧 Temporary Workarounds

Avoid launching Windows Explorer from Notepad++

windows

Do not use the 'Open Containing Folder' or similar features that launch Windows Explorer from Notepad++

Restrict directory permissions

windows

Ensure users cannot write to directories that would be searched before the legitimate Windows directory

🧯 If You Can't Patch

  • Restrict user permissions to prevent writing to directories in the system PATH
  • Implement application whitelisting to block execution of unauthorized explorer.exe files

🔍 How to Verify

Check if Vulnerable:

Check Notepad++ version in Help > About Notepad++. If version is below 8.9.2, the system is vulnerable.

Check Version:

notepad++ --version or check in Help > About Notepad++

Verify Fix Applied:

After updating, verify version is 8.9.2 or higher in Help > About Notepad++.

📡 Detection & Monitoring

Log Indicators:

  • Process creation events for explorer.exe from unusual directories
  • Notepad++ process spawning unexpected child processes

Network Indicators:

  • Unusual outbound connections following Notepad++ execution

SIEM Query:

Process Creation where Parent Process Name contains 'notepad++' and Process Name contains 'explorer.exe' and Process Path not contains 'C:\Windows'

📊 Metadata

CVE ID: CVE-2026-25926
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-426
Published: February 19, 2026
Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25926, you might also want to check these:

CVE-2023-30330 9.8

SoftExpert Excellence Suite 2.x versions before 2.1.3 contain a Local File Inclusion vulnerability i...

Same vulnerability type (CWE-426)
CVE-2025-26155 9.8

This CVE describes an Untrusted Search Path vulnerability in NCP VPN clients that allows attackers t...

Same vulnerability type (CWE-426)
CVE-2022-26184 9.8

CVE-2022-26184 is an untrusted search path vulnerability in Poetry package manager versions 1.1.9 an...

Same vulnerability type (CWE-426)