CVE-2026-46710 in Notepad++
Summary
by MITRE • 06/27/2026
Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installation contextMenu directory. If an attacker can pre-place a malicious powershell.exe in a user-writable custom installation directory, and a privileged user later runs the installer and selects that directory, the attacker-controlled executable is launched with the elevated privileges of the installer. This vulnerability is fixed in 8.9.6.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/27/2026
The vulnerability described represents a critical local privilege escalation flaw in Notepad++ versions 8.9.4 through 8.9.6 that stems from improper executable invocation practices during the installation process. This issue occurs specifically within the installer component that handles context menu integration, where the installation routine executes powershell.exe without specifying an absolute path. The vulnerability exploits a fundamental security principle by relying on the system PATH environment variable to resolve executable locations, creating an attack surface that can be manipulated by adversaries with access to user-writable directories. When the installer sets its working directory to the installation contextMenu directory and subsequently calls powershell.exe, it assumes the system will locate the legitimate PowerShell executable through standard PATH resolution mechanisms.
The technical exploitation of this vulnerability requires an attacker to position a malicious powershell.exe binary in a location that will be used during installation by a privileged user. This attack vector directly relates to CWE-426 Untrusted Search Path and CWE-78 Improper Neutralization of Special Elements used in OS Command Injection, as the installer's reliance on PATH-based resolution creates an environment where attacker-controlled executables can masquerade as legitimate system components. The vulnerability demonstrates how simple path resolution practices can lead to significant security implications when combined with elevated privilege execution contexts. When a privileged user executes the Notepad++ installer and selects a directory containing the attacker-controlled PowerShell executable, the malicious binary is launched with the same elevated privileges as the installer itself, effectively allowing privilege escalation from standard user to system-level access.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass potential full system compromise when combined with other attack techniques. An attacker who successfully exploits this vulnerability can execute arbitrary code with elevated privileges, potentially enabling them to install malware, modify system files, create backdoors, or establish persistent access to the compromised system. This particular flaw affects any Windows environment where Notepad++ is installed and where attackers have control over user-writable directories that might be selected during installation. The vulnerability's exploitation requires minimal sophistication but can result in significant damage, as it essentially provides a path for privilege escalation without requiring any special knowledge of the target system beyond basic file system access rights. The impact is particularly severe because the installer typically runs with elevated privileges, making this attack vector especially dangerous when targeting systems where standard users might be able to influence installation locations through various means such as shared network drives or other directory manipulation techniques.
Mitigation strategies for this vulnerability should focus on both immediate remediation and long-term architectural improvements in software installation practices. The most straightforward solution involves updating to Notepad++ version 8.9.6 or later, where the installer properly uses absolute paths when invoking powershell.exe, eliminating the PATH-based resolution that enables exploitation. Organizations should implement strict access controls on user-writable directories, particularly those that might serve as installation targets for software packages. Security monitoring should include detection of unauthorized executable placement in common installation directories, and system administrators should conduct regular audits to identify any potentially malicious binaries that may have been placed in directories accessible during installer execution. The vulnerability also highlights the importance of secure coding practices around executable invocation, particularly in privilege escalation contexts. This issue aligns with ATT&CK technique T1068 Exploitation for Privilege Escalation and demonstrates how seemingly minor implementation details can create significant security risks, emphasizing the need for comprehensive security testing during software development lifecycle processes including proper path resolution validation and elevated privilege handling protocols.