CVE-2026-46710 | Notepad++ is a free and open-source source code editor. From… | CVSS 7.5 HIGH

Description

Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installation contextMenu directory. If an attacker can pre-place a malicious powershell.exe in a user-writable custom installation directory, and a privileged user later runs the installer and selects that directory, the attacker-controlled executable is launched with the elevated privileges of the installer. This vulnerability is fixed in 8.9.6.

Metadata

CVE ID: CVE-2026-46710
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-15 23:26 UTC
Published: 2026-06-26 20:16 UTC
Last updated: 2026-06-26 20:16 UTC
Primary CWE: CWE-426
CWE-426: Untrusted Search Path
Vendor / Product: notepad-plus-plus / notepad-plus-plus
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 4.0

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
notepad-plus-plus	notepad-plus-plus	—	>= 8.9.4, < 8.9.6

Weakness (CWE)

CWE	Source	Description
CWE-426	cna	CWE-426: Untrusted Search Path

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	4.0	cna	CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)

https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-6f8f-vmfc-r8c5 https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-6f8f-vmfc-r8c5
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/1d4aabe2102d982667ead2dd974bee5e0b1f2d9c https://github.com/notepad-plus-plus/notepad-plus-plus/commit/1d4aabe2102d982667ead2dd974bee5e0b1f2d9c