CVE-2026-25926 – Notepad++ Security Update
“This vulnerability allowed specially crafted files or malicious libraries to trigger code execution under the user’s account.”
CVE-2026-25926 is a high-severity vulnerability (CVSS 7.3) affecting Notepad++. The issue stems from improper handling of file-loading or external library behavior, which could allow a malicious file or dynamic link library (DLL) to execute unintended code.
An attacker could exploit this flaw by convincing a user to open a specially crafted file or by placing a malicious DLL in a location searched by the application. If successfully triggered, arbitrary code would execute with the privileges of the logged-in user. This could lead to data theft, system changes, malware installation, or further compromise within a corporate environment.
The vulnerability has been resolved in the latest Notepad++ release.
Key Details
- Affected Product
- Notepad-plus-plus Notepad++
- Attack Vector
- Local
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- Required
- CWE Classification
- CWE-426