The two code execution flaws share a single design weakness. Notepad++ stores user choices, such as the path to the command-line interpreter and the list of user-defined commands, inside XML files in the user’s profile directory. The editor reads those values and passes them to the operating system as commands without checking what they contain, according to a GitHub Security Advisory on Notepad++ published on May 27.
Anyone who can write to the XML files can decide what the editor executes, the advisory said.
The more concerning of the two flaws, CVE-2026-48800, targets the file that holds user-defined Run menu entries.
Notepad++ reads its user-defined commands from a file called shortcuts.xml and accepts whatever it finds there without validation, the advisory said. An attacker who can write to that file can add an entry that launches an arbitrary executable when the user clicks it in the Run menu.
