Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN550 _____________________________________________________________________ DATE : 27/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Notepad++ versions prior to 8.9.6.1. ===================================================================== https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9 https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-r39g-3mcw-xcg2 https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-6f8f-vmfc-r8c5 _____________________________________________________________________ Arbitrary Code Execution via XML files High donho published GHSA-7hm3-wp5q-ccv9 May 26, 2026 Package Notepad++ Affected versions <= v8.9.6 Patched versions v8.9.6.1 Description 1. via config.xml commandLineInterpreter Summary The tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signature check. When the user triggers IDM_FILE_OPEN_CMD (File → Open Containing Folder → cmd), NppCommands.cpp:228 creates a Command object with this value and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. Trigger File → Open Containing Folder → cmd (or right-click tab → Open into → Open Containing Folder in cmd) Attack Vectors Direct write to %APPDATA%\Notepad++\config.xml (same user privilege) Malicious .lnk shortcut with -settingsDir= pointing to attacker-controlled directory Cloud sync poisoning (NPP supports cloud choice path, Parameters.cpp:1386) Archive extraction to AppData via social engineering PoC Payload (inject into the appropriate XML file): calc.exe Expected result: Windows Calculator (calc.exe) opens instead of the normal action. Recommended Remediation Implement a whitelist of allowed interpreters (e.g., cmd.exe, powershell.exe, bash.exe). Validate that the resolved path points to an executable in a system directory. Add a user confirmation dialog before executing the command. Patches 24c7b5c 2. via shortcuts.xml UserCommand Injection Summary The tag text content inside in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:3658) in the feedUserCmds() function and stored in UserCommand._cmd without any validation. When the user clicks the corresponding entry in the Run menu, NppCommands.cpp:4264 creates a Command object with string2wstring(ucmd.getCmd()) and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. The injected command appears as a normal menu item in the Run menu, making it a viable persistence mechanism. Trigger Run menu → [injected command name] (e.g., "System Update Check") Attack Vectors Direct write to %APPDATA%\Notepad++\shortcuts.xml (same user privilege) Malicious .lnk shortcut with -settingsDir= pointing to attacker-controlled directory Persistence: attacker with temporary access injects a backdoor command that survives reboots The injected entry appears with a legitimate-looking name in the Run menu PoC Payload (inject into the appropriate XML file): calc.exe Expected result: Windows Calculator (calc.exe) opens instead of the normal action. Recommended Remediation Add a user confirmation dialog before executing UserCommand entries. Implement command content validation or restrict to URL-only patterns. Consider signing shortcuts.xml and verifying integrity at load time. Display a warning when new Run menu commands are detected that were not added via the GUI. Patch 6b3dc52 Credit Michele Piccinni Severity High 7.8/ 10 CVSS v3 base metrics Attack vector Local Attack complexity Low Privileges required None User interaction Required Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE ID CVE-2026-48778 Weaknesses Weakness CWE-78 _____________________________________________________________________ Notepad++ WM_COPYDATA COPYDATA_FULL_CMDLINE local DoS crash Moderate donho published GHSA-r39g-3mcw-xcg2 May 26, 2026 Package Notepad++ Affected versions <= v8.9.6 Patched versions v8.9.6.1 Description Summary A local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* instead of enforcing COPYDATASTRUCT.cbData. Impact This can cause a reliable local denial of service against Notepad++. Windows confirms the crash through Application Error and Windows Error Reporting events: APPCRASH for notepad++.exe Event IDs: 1000 and 1001 Exception codes observed: 0xc0000005 / 0xc000041d Fault offset: 0x0000000000003313 PoC We have attached payload.txt (PowerShell script) and a short video demonstrating (too big to be uploaded) the issue. To reproduce, open Notepad++ and run the attached script from PowerShell in the same interactive Windows session. The script locates the Notepad++ window, sends a malformed WM_COPYDATA message, and then prints the Windows Event Log evidence confirming the crash. The malformed IPC message uses: WM_COPYDATA dwData = 3 / COPYDATA_FULL_CMDLINE cbData = 8192 lpData = 4096 WCHARs without NUL terminator In our tests, SendMessageTimeout returns a timeout, and Windows records an APPCRASH event for notepad++.exe shortly after. Suggested fix The handler should validate cbData, ensure the buffer is wchar_t-aligned, reject malformed unterminated input, and construct the command-line string using a bounded length derived from cbData. We can provide any additional details, crash evidence, or testing output if needed. Patches f20a088 Credits Enrique de Clerck, Leonardo Gutiérrez, and Daniel Cifuentes Severity Moderate 5.0/ 10 CVSS v3 base metrics Attack vector Local Attack complexity Low Privileges required Low User interaction Required Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVE ID CVE-2026-48770 Weaknesses Weakness CWE-125 _____________________________________________________________________ Privilege Escalation in Notepad++ v8.9.4 & v8.9.5 Installer via Uncontrolled Executable Search Path High donho published GHSA-6f8f-vmfc-r8c5 May 21, 2026 Package npp.8.9.4.installer.x64.exe & npp.8.9.5.installer.x64.exe Affected versions v8.9.4 & v8.9.5 Patched versions v8.9.6 Description Impact Notepad++ v8.9.4 and v8.9.5 contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installation contextMenu directory. If an attacker can pre-place a malicious powershell.exe in a user-writable custom installation directory, and a privileged user later runs the installer and selects that directory, the attacker-controlled executable is launched with the elevated privileges of the installer. Affected version: Notepad++ 8.9.4 and 8.9.5 versions Fixed version: Notepad++ v8.9.6 Patches 1d4aabe Credits Enrique de Clerck, Leonardo Gutiérrez, and Daniel Cifuentes Severity High CVE ID CVE-2026-46710 Weaknesses Weakness CWE-125 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================