Multiple Notepad++ Vulnerabilities Enable PowerShell Command Injection Attacks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Notepad++ v8.9.7 has been released with critical security fixes addressing multiple vulnerabilities, including a high-risk PowerShell command injection flaw that could enable arbitrary code execution during installation.

The update resolves five distinct issues spanning path traversal, buffer overflow, and authentication bypass weaknesses, reinforcing the security posture of one of the most widely used Windows text editors.

The most severe issue fixed in this release involves an install-time PowerShell command injection vulnerability. Improper handling of PowerShell commands within the installer could allow attackers to manipulate execution flow and inject arbitrary commands.

In real-world scenarios, this could be exploited through tampered installation packages or social engineering attacks, leading to full system compromise.

Notepad++ developers have improved the robustness of PowerShell command handling in the installer, mitigating the risk of command injection and unauthorized execution.

Beyond the PowerShell issue, the release patches several other critical vulnerabilities affecting different components:

  • A stack buffer overflow in the expandNppEnvironmentStrs function could lead to memory corruption and potential code execution.
  • A Zip Slip (path traversal) flaw in the updater (WinGUp) could allow attackers to overwrite arbitrary files during update extraction.
  • A session handling flaw allowed bypassing path validation via manipulated session.xml entries.
  • A macro integrity bypass in shortcuts.xml could enable unauthorized macro execution without proper HMAC verification.

These vulnerabilities demonstrate how local configuration files and update mechanisms can be abused as attack vectors if not properly secured.

CVE ID Vulnerability Component Impact
CVE-2026-52886 session.xml backupFilePath starts_with bypass Session management Path validation bypass
CVE-2026-54758 Stack buffer overflow in expandNppEnvironmentStrs Core function Memory corruption, possible RCE
CVE-2026-57233 Zip Slip (path traversal) Updater (WinGUp) Arbitrary file overwrite
Not Assigned shortcuts.xml macro HMAC bypass Macro system Integrity bypass, macro abuse
Not Assigned PowerShell command injection Installer Arbitrary command execution

Additional Fixes and Enhancements

Alongside security patches, Notepad++ v8.9.7 introduces several stability improvements and user-requested features. Key updates include:

  • Persistent expand/collapse state in “Folder as Workspace”
  • Enhanced Incremental Search with count and nth-position indicators
  • Fixes for crashes, UI glitches, and high-DPI scaling issues
  • Updates to Scintilla 5.6.4, Lexilla 5.5.1, and pugixml 1.16

Numerous bug fixes also address file handling inconsistencies, symbolic link freezes, and search-related performance issues.

Users are strongly advised to update to Notepad++ v8.9.7 immediately, especially those in enterprise or development environments where the editor interacts with untrusted files or is used in automated workflows.

As a practical example, a developer downloading a compromised installer from a spoofed source could unknowingly trigger the PowerShell injection vulnerability, allowing attackers to deploy malware during installation without user awareness.

Keeping software updated and validating download sources remain critical defenses against such exploitation paths.

The Notepad++ team has indicated that the auto-updater will roll out this version within two weeks if no major regressions are detected, but manual updates are recommended for immediate protection.

Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.