## https://sploitus.com/exploit?id=FCED1A67-0F9F-5169-BA14-6EBD87F3368D
# CVE-2026-48800 โ Notepad++ Arbitrary Code Execution PoC
**Severity:** High | **Affected:** Notepad++ โค 8.9.6 | **Patched:** v8.9.6.1
A PoC script for CVE-2026-48800, an arbitrary code execution vulnerability in Notepad++ โค 8.9.6 via `shortcuts.xml`.
For full technical details, see the [official security advisory](https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-3x3f-3j39-pj3v).
## Usage
```
python cve-2026-48800.py
```
**Trigger after running:** Run โ Command Injection Demo
**Expected result:** `calc.exe` launches, confirming arbitrary code execution.
## Related
Also see [CVE-2026-48778](https://github.com/kavin-jindal/CVE-2026-48778-PoC) โ a companion vulnerability in the same Notepad++ release affecting `config.xml`.
## Author
**Kavin Jindal** โ [Avyukt Security](https://github.com/kavin-jindal)
[LinkedIn](https://www.linkedin.com/in/kavin-jindal/)
## Disclaimer
This PoC is published for educational and research purposes only. Use only on systems you own or have explicit permission to test.