Notepad++ has released an urgent security update (v8.9.6.1) addressing three vulnerabilities, including two critical arbitrary code execution flaws that allow attackers to run malicious programs by exploiting the application's config files. The most severe vulnerability (CVE-2026-48778) involves the unvalidated execution of commands from the config.xml file, enabling attackers to execute arbitrary code via various methods such as malicious shortcuts or cloud sync poisoning. Users are strongly advised to update immediately to protect against these risks.
https://cybersecuritynews.com/critical-notepad-vulnerabilities/
