Cyber Posture

CVE-2026-25926

HighPublic PoCLPE

Published: 19 February 2026

Published
19 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25926 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Notepad-Plus-Plus Notepad\+\+. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Path Interception by Search Order Hijacking (T1574.008).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
attack.mitre.org →
Why these techniques?

Unsafe search path (no absolute path for explorer.exe) with attacker-controlled working directory directly enables search order hijacking for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an…

more

attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application. Version 8.9.2 patches the issue.

Deeper analysisAI

CVE-2026-25926 is an Unsafe Search Path vulnerability (CWE-426) affecting Notepad++, a free and open-source source code editor for Windows. The issue exists in versions prior to 8.9.2 and arises when the application launches Windows Explorer without specifying an absolute executable path. This flaw allows a malicious explorer.exe to be executed if an attacker controls the process working directory, potentially leading to arbitrary code execution in the context of the running Notepad++ application. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high impact with local access required.

A local attacker with low privileges can exploit this vulnerability by placing a malicious explorer.exe in a controllable working directory, such as through social engineering or by influencing the application's current directory. Exploitation requires user interaction, such as the victim launching a specific feature in Notepad++ that triggers the Explorer launch. Successful exploitation enables arbitrary code execution with the privileges of the Notepad++ process, potentially compromising the user's session.

The Notepad++ security advisory (GHSA-rjvm-fcxw-2jxq) and release notes for version 8.9.2 confirm that updating to v8.9.2 resolves the issue by addressing the unsafe path handling. Security practitioners should recommend immediate upgrades for affected installations, as detailed in the GitHub release (v8.9.2) and official news announcement.

Details

CWE(s)
CWE-426

Affected Products

notepad-plus-plus
notepad\+\+
≤ 8.9.2

CVEs Like This One

CVE-2025-15556Same product: Notepad-Plus-Plus Notepad\+\+
CVE-2025-1068Shared CWE-426
CVE-2026-21280Shared CWE-426
CVE-2026-25880Shared CWE-426
CVE-2025-27167Shared CWE-426
CVE-2026-32009Shared CWE-426
CVE-2026-23512Shared CWE-426
CVE-2026-3780Shared CWE-426
CVE-2025-21399Shared CWE-426
CVE-2026-0662Shared CWE-426

References