CVE-2026-48778

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-48778. PoCs published by Kavin Jindal, Unclecheng-li, XK3NF4.

AI-analyzed exploit summary This exploit demonstrates arbitrary code execution in Notepad++ <= 8.9.6 by injecting a malicious executable path into the config.xml file. The payload modifies the commandLineInterpreter setting, causing Notepad++ to execute calc.exe instead of cmd when 'Open Containing Folder in cmd' is triggered.

Description

Notepad++ 8.9.6 - Arbitrary Code Execution

Exploits (5)

exploitdb WORKING POC

by Kavin Jindal · pythonremotewindows

https://www.exploit-db.com/exploits/52606

View Code ZIP pw:eip

This exploit demonstrates arbitrary code execution in Notepad++ <= 8.9.6 by injecting a malicious executable path into the config.xml file. The payload modifies the commandLineInterpreter setting, causing Notepad++ to execute calc.exe instead of cmd when 'Open Containing Folder in cmd' is triggered.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Notepad++ <= 8.9.6

No auth needed

Prerequisites: Write access to %APPDATA%\Notepad++\config.xml · Notepad++ installed and launched at least once

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 31, 2026 Full analysis →

github WORKING POC 442 stars

by Unclecheng-li · cpoc

https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-48778 Notepad++ RCE

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2026-48778, demonstrating arbitrary code execution in Notepad++ via a malicious config.xml file. The exploit leverages a lack of validation in the commandLineInterpreter field, allowing an attacker to replace the default cmd.exe with any executable.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Notepad++ <= v8.9.6

No auth needed

Prerequisites: Attacker-controlled config.xml · User interaction (File -> Open Containing Folder -> cmd)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 31, 2026 Full analysis →

github WORKING POC 6 stars

by XK3NF4 · c++poc

https://github.com/XK3NF4/CVE-2026-48778

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-48778, which leverages a vulnerability in Notepad++'s config.xml handling to achieve remote code execution (RCE). The exploit modifies the 'commandLineInterpreter' setting in the config.xml file to execute arbitrary commands when triggered via specific user actions in Notepad++.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Notepad++ <= v8.9.6

No auth needed

Prerequisites: User interaction required to trigger the exploit (e.g., opening a file or folder via Notepad++ UI)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 31, 2026 Full analysis →

github WORKING POC 3 stars

by Pocland-db · pythonpoc

https://github.com/Pocland-db/cve-pocs/tree/main/2026/CVE-2026-48778

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-48778, which leverages a vulnerability in Notepad++'s config.xml handling to achieve remote code execution (RCE). The exploit modifies the 'commandLineInterpreter' setting in the config.xml file to execute arbitrary commands when triggered via specific user actions in Notepad++.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Notepad++ <= v8.9.6

No auth needed

Prerequisites: Access to the target's APPDATA directory to modify config.xml · User interaction to trigger the payload via Notepad++ menu options

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 01, 2026 Full analysis →

github WORKING POC

by kavin-jindal · pythonpoc

https://github.com/kavin-jindal/CVE-2026-48778-PoC

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2026-48778 in Notepad++ by injecting a malicious payload into the config.xml file, leading to arbitrary code execution when a specific menu option is triggered.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Notepad++ <= 8.9.6

No auth needed

Prerequisites: Notepad++ installed and launched at least once · Access to the user's APPDATA directory

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 31, 2026 Full analysis →

Notepad++ 8.9.6 - Arbitrary Code Execution

Exploitation Summary

Description

Exploits (5)

Scores

Details