CVE-2026-25926
Published: 19 February 2026
Summary
CVE-2026-25926 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Notepad-Plus-Plus Notepad\+\+. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-25926 is an Unsafe Search Path vulnerability (CWE-426) affecting Notepad++, a free and open-source source code editor for Windows. The issue exists in versions prior to 8.9.2 and arises when the application launches Windows Explorer without specifying an absolute executable path. This flaw allows a malicious explorer.exe to be executed if an attacker controls the process working directory, potentially leading to arbitrary code execution in the context of the running Notepad++ application. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high impact with local access required.
A local attacker with low privileges can exploit this vulnerability by placing a malicious explorer.exe in a controllable working directory, such as through social engineering or by influencing the application's current directory. Exploitation requires user interaction, such as the victim launching a specific feature in Notepad++ that triggers the Explorer launch. Successful exploitation enables arbitrary code execution with the privileges of the Notepad++ process, potentially compromising the user's session.
The Notepad++ security advisory (GHSA-rjvm-fcxw-2jxq) and release notes for version 8.9.2 confirm that updating to v8.9.2 resolves the issue by addressing the unsafe path handling. Security practitioners should recommend immediate upgrades for affected installations, as detailed in the GitHub release (v8.9.2) and official news announcement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8123
Vulnerability details
Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an…
more
attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application. Version 8.9.2 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe search path (no absolute path for explorer.exe) with attacker-controlled working directory directly enables search order hijacking for arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch (v8.9.2) that replaces the relative explorer.exe search with an absolute path, eliminating the CWE-426 vector.
Requires cryptographic or integrity verification of executables and libraries before they are loaded, blocking a malicious explorer.exe placed in a controlled working directory.
Limits Notepad++ to the minimum privileges needed, reducing the impact of arbitrary code execution even if the unsafe search path is successfully exploited.