Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
Notepad++ versions before 8.9.2 can run malicious Windows Explorer
CVE-2026-25926
Summary
Using Notepad++ versions prior to 8.9.2 may allow an attacker to run malicious code on your computer if you open Windows Explorer from within the program. This is fixed in version 8.9.2, which you should update to. If you're not already using 8.9.2, update your Notepad++ installation to the latest version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| notepad-plus-plus | notepad\+\+ | <= 8.9.2 | – |
Original title
Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executabl...
Original description
Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application. Version 8.9.2 patches the issue.
nvd CVSS3.1
7.3
Vulnerability type
CWE-426
- https://github.com/notepad-plus-plus/notepad-plus-plus/releases/tag/v8.9.2 Product Release Notes
- https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-... Exploit Vendor Advisory
- https://notepad-plus-plus.org/news/v892-released Press/Media Coverage
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026