Share
## https://sploitus.com/exploit?id=FCED1A67-0F9F-5169-BA14-6EBD87F3368D
# CVE-2026-48800 โ€” Notepad++ Arbitrary Code Execution PoC

**Severity:** High | **Affected:** Notepad++ โ‰ค 8.9.6 | **Patched:** v8.9.6.1

A PoC script for CVE-2026-48800, an arbitrary code execution vulnerability in Notepad++ โ‰ค 8.9.6 via `shortcuts.xml`.

For full technical details, see the [official security advisory](https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-3x3f-3j39-pj3v).

## Usage

```
python cve-2026-48800.py
```

**Trigger after running:** Run โ†’ Command Injection Demo

**Expected result:** `calc.exe` launches, confirming arbitrary code execution.

## Related

Also see [CVE-2026-48778](https://github.com/kavin-jindal/CVE-2026-48778-PoC) โ€” a companion vulnerability in the same Notepad++ release affecting `config.xml`.

## Author

**Kavin Jindal** โ€” [Avyukt Security](https://github.com/kavin-jindal)  
[LinkedIn](https://www.linkedin.com/in/kavin-jindal/)

## Disclaimer

This PoC is published for educational and research purposes only. Use only on systems you own or have explicit permission to test.