Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a trusted directory prefix passes the check while resolving to an untrusted location. The CVE-2026-48800 patch adds isInTrustedDirectory() validation in Command::run() (RunDlg.cpp) before calling ShellExecute(). This function checks whether the resolved executable path is under a trusted directory. This vulnerability is fixed in 8.9.6.2.
Metrics
Affected Vendors & Products
References
History
Mon, 29 Jun 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Notepad-plus-plus
Notepad-plus-plus notepad++ |
|
| Vendors & Products |
Notepad-plus-plus
Notepad-plus-plus notepad++ |
Mon, 29 Jun 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 26 Jun 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a trusted directory prefix passes the check while resolving to an untrusted location. The CVE-2026-48800 patch adds isInTrustedDirectory() validation in Command::run() (RunDlg.cpp) before calling ShellExecute(). This function checks whether the resolved executable path is under a trusted directory. This vulnerability is fixed in 8.9.6.2. | |
| Title | Notepad++: CVE-2026-48800 Bypass | |
| Weaknesses | CWE-42 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-06-26T20:11:40.227Z
Updated: 2026-06-29T12:11:01.248Z
Reserved: 2026-06-08T21:44:27.365Z
Link: CVE-2026-52884
Updated: 2026-06-29T12:10:50.760Z
No data.
No data.