CVE-2026-48770

MEDIUM

Notepad++ WM_COPYDATA COPYDATA_FULL_CMDLINE local DoS crash

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-48770. PoCs published by atiilla.

AI-analyzed exploit summary This repository contains functional proof-of-concept exploits for three Notepad++ vulnerabilities (CVE-2026-48770, CVE-2026-48778, CVE-2026-48800), including an OOB read crash via WM_COPYDATA and two RCE vulnerabilities via command injection in config.xml and shortcuts.xml.

Description

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* instead of enforcing COPYDATASTRUCT.cbData. This vulnerability is fixed in 8.9.6.1.

Exploits (1)

nomisec WORKING POC 5 stars
by atiilla · poc
https://github.com/atiilla/Notepad-8.9.6-PoC

This repository contains functional proof-of-concept exploits for three Notepad++ vulnerabilities (CVE-2026-48770, CVE-2026-48778, CVE-2026-48800), including an OOB read crash via WM_COPYDATA and two RCE vulnerabilities via command injection in config.xml and shortcuts.xml.

Classification
Working Poc 100%
Attack Type
Rce, Dos
Complexity
Trivial
Reliability
Reliable
Target: Notepad++ <= 8.9.6
No auth needed
Prerequisites: Notepad++ <= 8.9.6 installed · Windows 10/11 environment
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →

Scores

CVSS v3 5.0
EPSS 0.0026
EPSS Percentile 17.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-125
Status published
Products (2)
notepad-plus-plus/notepad-plus-plus < 8.9.6.1
notepad-plus-plus/notepad\+\+ < 8.9.6.1
Published Jun 26, 2026
Tracked Since Jun 27, 2026