CVE-2025-15556

HIGH KEV

Notepad-plus-plus Notepad++ < 8.8.9 - Download Without Integrity Check

Title source: rule

Description

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-15556
nomisec WORKING POC 1 stars
by George0Papasotiriou · poc
https://github.com/George0Papasotiriou/CVE-2025-15556-Notepad-WinGUp-Updater-RCE
nomisec WRITEUP
by renat0z3r0 · poc
https://github.com/renat0z3r0/notepadpp-supply-chain-iocs

References (7)

Scores

CVSS v3 7.5
EPSS 0.0609
EPSS Percentile 90.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CISA KEV 2026-02-12
VulnCheck KEV 2026-02-02
ENISA EUVD EUVD-2025-206661
CWE
CWE-494
Status published
Products (1)
notepad-plus-plus/notepad\+\+ < 8.8.9
Published Feb 03, 2026
KEV Added Feb 12, 2026
Tracked Since Feb 18, 2026