Notepad++ release 8.9.6.1

PeterJones

@Coises said:

Does this vulnerability mean that a user, by manipulating the shortcuts file (and responding OK to the prompt in 8.9.6.1), would be able to execute an arbitrary program from an arbitrary directory (as it would be executing under the control of Notepad++, which has already been whitelisted)?

From my understanding, any “corporate management” system that would disallow running a specific executable by double-click or by command-line would also disallow it from running by ShellExecute. (if they didn’t, it would be an obvious hole that would have already been violated, and would have nothing to do with Notepad++ specifically).

Or would there still be a UAC prompt that the user could not satisfy?

If the system were set up to require UAC to run “untrusted” apps (which is how it used to be for me), then I would think there would still be the UAC prompt.

I don’t think your scenario is feasible (any more so than using any app that embeds a shell-execute).

Coises

@PeterJones said:

If the system were set up to require UAC to run “untrusted” apps (which is how it used to be for me), then I would think there would still be the UAC prompt.

That’s good. Thanks for clarifying.

Then it seems like a “simple” implementation would be to let an empty supressRunAlertDialog.xml file work as @donho suggested, which would make it easy to create the installer checkbox he mentioned to restore old behavior.

Either at the same time, or as a later enhancement, it could be added that if the file exists and is not empty, it works as you suggested, for users who want finer-grained protection.

donho

@Coises said:

Does this vulnerability mean that a user, by manipulating the shortcuts file (and responding OK to the prompt in 8.9.6.1), would be able to execute an arbitrary program from an arbitrary directory (as it would be executing under the control of Notepad++, which has already been whitelisted)? Or would there still be a UAC prompt that the user could not satisfy?

As you can imagine, I ask because if this represents a work-around for executing forbidden programs, it could become a reason system administrators would consider Notepad++ unsafe to install.

The vulnerability fix ensures that any program launched by Notepad++ is invoked using an absolute path, preventing hijacking. If the path is not in a trusted directory, Notepad++ displays a confirmation dialog.
I have no information about the behaviour on a corporate-managed workstation that is fully locked down. If previous version of Notepad++ (<= v8.6.9) were able to launch arbitrary programs, then this release can do so as well - the only difference is that it now adds a confirmation dialog.

xomx

@donho said:

Fix arbitrary code execution vulnerability via config.xml (CVE-2026-48778 ).
Fix arbitrary code execution vulnerability via shortcuts.xml (CVE-2026-48778 ).

IMO this is not a security vulnerability. Abuse of N++, I’d say.

Let’s see the published attack vectors:

Direct write to %APPDATA%\Notepad++\config.xml (same user privilege)
Malicious .lnk shortcut with -settingsDir= pointing to attacker-controlled directory
Archive extraction to AppData via social engineering

If someone can do arbitrary writes to my Windows user profile (or persuades me to do it for him via that mentioned social engineering), then such an attacker can easily do also other mischievous things, e.g. redirecting my user environment variables like %PATH%, where I can have paths to executables…

So if this is marked as Arbitrary Code Execution CVE, then it’s like patching up a small hole in a dam that just burst.

Cloud sync poisoning (NPP supports cloud choice path, Parameters.cpp:1386)

If someone gets into my cloud, then I have a bigger problem than a mischievous modification of some path.

Ditto the shortcuts.xml stuff.

---

I agree with @peterjones , I also like to launch any executable from the N++. And I like to point my shortcuts to any executable too.

---

@Coises said:

Notepad++ is installed on a corporate-managed workstation which is fairly locked down.

Users’ ability to execute programs is restricted; they cannot execute an arbitrary program from an arbitrary directory (so they can’t install their own programs, even as portables), but they can execute Notepad++.

Does this vulnerability mean that a user, by manipulating the shortcuts file (and responding OK to the prompt in 8.9.6.1), would be able to execute an arbitrary program from an arbitrary directory (as it would be executing under the control of Notepad++, which has already been whitelisted)?

No. If an app is not on a whitelist (realized e.g. by Windows App Control for Business), it should not be executed (even from a whitelisted app).

Or would there still be a UAC prompt that the user could not satisfy?

This is other thing. UAC gets in the way whenever an action is required to be performed with higher than the current privileges. So if an attacker creates e.g. that config.xml “commandLineInterpreter” redirection to his “mycmd.exe”, UAC shows up e.g. if that mycmd.exe has a manifest within with higher execution level requested.

donho

@xomx
The configuration files (config.xml, shortcuts.xml & others) could reside on any location with cloud option or by “-settingsDir=” command argument…

PeterJones

@Coises said:

Then it seems like a “simple” implementation would be to let an empty supressRunAlertDialog.xml file work as @donho suggested, which would make it easy to create the installer checkbox he mentioned to restore old behavior.

I am leaning towards agreeing. I like the idea of granular control from my suggestion, because some user/admin might want it, I don’t know how important it would be. OTOH, making it easy for the installer checkbox, and thus easy for users to opt out of this fix, is definitely important.
.

xomx

@donho said:

The configuration files (config.xml, shortcuts.xml & others) could reside on any location with cloud option or by “-settingsDir=” command argument…

So are you trying to fix a situation when a user (inadvertently) set for these N++ xml files a location, where also everyone else (instead of him or admins) has the write permission?

Coises

@xomx said:

@Coises said:
Does this vulnerability mean that a user, by manipulating the shortcuts file (and responding OK to the prompt in 8.9.6.1), would be able to execute an arbitrary program from an arbitrary directory (as it would be executing under the control of Notepad++, which has already been whitelisted)?

No. If an app is not on a whitelist (realized e.g. by Windows App Control for Business), it should not be executed (even from a whitelisted app).

Or would there still be a UAC prompt that the user could not satisfy?

This is other thing. UAC gets in the way whenever an action is required to be performed with higher than the current privileges. So if an attacker creates e.g. that config.xml “commandLineInterpreter” redirection to his “mycmd.exe”, UAC shows up e.g. if that mycmd.exe has a manifest within with higher execution level requested.

Thank you for the clarification.

If someone can do arbitrary writes to my Windows user profile (or persuades me to do it for him via that mentioned social engineering), then such an attacker can easily do also other mischievous things, e.g. redirecting my user environment variables like %PATH%, where I can have paths to executables…

That’s kind of why I wondered if the vulnerability was about a form of privilege escalation. If not…

You know, if someone gains write access to my desktop, they could replace my shortcut to Notepad++ with one that has the same name and icon but actually starts a malicious program. Shortcuts are a security risk! (/sarcasm… just in case)

donho

@xomx said:

So are you trying to fix a situation when a user (inadvertently) set for these N++ xml files a location, where also everyone else (instead of him or admins) has the write permission?

It is not the fix provided in v8.9.6.1, but it could be considered.

donho

I will see if I can treat only “-settingsDir=” & cloud option, and keep %appdata% case as before (without confirmation).

MarkusBodensee

@PeterJones said:

@Coises said:

Then it seems like a “simple” implementation would be to let an empty supressRunAlertDialog.xml file work as @donho suggested, which would make it easy to create the installer checkbox he mentioned to restore old behavior.

I am leaning towards agreeing. I like the idea of granular control from my suggestion, because some user/admin might want it, I don’t know how important it would be. OTOH, making it easy for the installer checkbox, and thus easy for users to opt out of this fix, is definitely important.
.

I like the idea of having a filled supressRunAlertDialog.xml, even if it may be a bit more difficult to implement, but on the other side:
There would be no need to add an option to the installer if the file should be installed or not. Just install/ship a prefilled file but with no added path by default and a user with admin rights can add the needed path. Or the file can be prefilled with all the program files path by default, so you don’t have to hard code them in source code. This way, admin in company environment would even be able to remove those paths at all if needed.

donho

@fml2 said:

@donho x64, installer (exe)

That’s strange. I really don’t see how the 3 vulnerability fixes could impact NppExport.dll during the installation.

What does it happen if you uncheck NppExport plugin during the installation?

donho

I implemented another solution that removes the annoying requirement of adding authorized directories.
This solution was suggested by the security expert who reported CVE-2026-48800.

The idea is as follows:
We use the user’s machine GUID to generate a HMAC of shortcuts.xml, and store this value in config.xml. Each time a customized command is launched, Notepad++ recalculates the HMAC of the current shortcuts.xml content on HD, and compare it with the stored value.

If the HMAC in config.xml is missing or does not match, the shortcuts.xml file will be opened for review and a warning dialog is displayed, and the user must validate (and possibly modify) the file. Otherwise no command will not be executed.

The PR is ready for review now:
https://github.com/notepad-plus-plus/notepad-plus-plus/pull/18079

Please let me know your thoughts on this alternative enhancement.

xomx

@donho said:

The PR is ready for review now:
https://github.com/notepad-plus-plus/notepad-plus-plus/pull/18079

Please let me know your thoughts on this alternative enhancement.

This is classic security through obscurity (read - “no security at all”) or if you prefer a CWE-656. Or maybe I should rather use here “security through well-known obscurity”, because N++ is opensource, so anyone can easily do what I did below, STR:

• add a new shortcut to N++ shortcuts.xml via N++ menu > Run > Run…, enter there C:\Windows\System32\charmap.exe, click on Save…, enter a name for it, e.g. CharacterMap (you can also set a key-shortcut if you like, e.g. Ctrl+Alt+M seems to be free)
• the above will create new record in the N++ shortcuts.xml file (in my case: <Command Key="77" Shift="no" Alt="yes" Ctrl="yes" name="CharacterMap">C:\Windows\System32\charmap.exe</Command>)
• try it (e.g. via that Ctrl+Alt+M), the Windows CharMap should launch
• close N++
• go to where your N++ shortcuts.xml is and do the “evil” in question - e.g. modify the relevant line to <Command Key="77" Shift="no" Alt="yes" Ctrl="yes" name="CharacterMap">C:\Windows\System32\cmd.exe</Command>
• relaunch N++, press again that Ctrl+Alt+M, you should see the new warning:
  
  and the shortcuts.xml will be opened for you to review (DO NOT VALIDATE IT now, remember - we want to play here as the “attackers” do…)
• instead of validating via the N++ menu > Run > Validate shortcuts.xml, just close the N++ app for now

In the next steps we manually mimic (as a potential attacker also can) what the N++ app validation does:

• in the dir with your current N++ shortcuts.xml, create and launch this batch:

@echo off
setlocal enabledelayedexpansion

set "FILE_PATH=shortcuts.xml"

if not exist "%FILE_PATH%" (
    echo Error: Notepad++ file not found - "%FILE_PATH%"
    pause
    exit /b 1
)

echo.
echo Processing file: %FILE_PATH%
echo.

powershell -NoProfile -Command "$guid = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Cryptography').MachineGuid; $guid | Out-File 'MachineGuid-key.tmp' -Encoding ascii -NoNewline; $hmac = New-Object System.Security.Cryptography.HMACSHA256; $hmac.Key = [System.Text.Encoding]::UTF8.GetBytes($guid); $hash = [System.BitConverter]::ToString($hmac.ComputeHash([System.IO.File]::ReadAllBytes('%FILE_PATH:\=\\%'))).Replace('-','').ToLower(); $hash | Out-File 'HMAC.txt' -Encoding ascii -NoNewline;"

set /p SECRET_KEY=<MachineGuid-key.tmp
set /p HMAC_RESULT=<HMAC.txt
del MachineGuid-key.tmp

echo Secret-Key (MachineGuid): %SECRET_KEY%
echo HMAC-SHA256 Signature:    %HMAC_RESULT%
echo.
echo HMAC saved to: %cd%\HMAC.txt
echo.

endlocal
pause

• open the generated HMAC.txt file (e.g. in Windows Notepad app)
• open there also your current N++ config.xml file, edit the relevant line, mine was:
  <GUIConfig name="shortcutsXmlHMAC" value="5b3ed06c526a812cc93e147d5243adb0eded6b7529a59883977f480985bc360e" />, use your HMAC from the manually generated HMAC.txt file
• save N++ config.xml file
• relaunch N++, try Ctrl+Alt+M again (now no warning - an attacker silently fooled us to run whatever he wants, here only the cmd.exe instead of charmap.exe)

I’ll repeat myself here - the fixed CVE is not a security vulnerability! @coises has above another great example - modify in the same way e.g. the N++ shortcut on the Desktop (and be surprised that instead of notepad++.exe, you will launch whatever else…)

N++ is a powerful tool, like a sharp knife. And like with the sharp knife, users can “cut themselves” if not handled properly (allowing anyone else than me or admins to write to my N++ config.xml & shortcuts.xml…).

fml2

@donho I unchecked the plugins item (i.e. all of them); the installation completed then.

donho

@fml2
Did you check if NppExport.dll is read-only in your system?

androidec50

@donho you forgot to update/upload this new minor version to winget microsoft repository?

Until now I only can find 8.9.6.

Thank you so much.

donho

@xomx

The HMAC is only meant to protect against the -settingsDir= & settings on Cloud option vectors where the attacker prepares a malicious directory on a different machine — a USB drive, a downloaded archive, a network share. In that case they genuinely don’t know the victim’s MachineGUID and cannot forge the HMAC.