Cyber Resilience

CVE-2026-25926

HighPublic PoCLPE

Published: 19 February 2026

Published
19 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25926 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Notepad-Plus-Plus Notepad\+\+. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-25926 is an Unsafe Search Path vulnerability (CWE-426) affecting Notepad++, a free and open-source source code editor for Windows. The issue exists in versions prior to 8.9.2 and arises when the application launches Windows Explorer without specifying an absolute executable path. This flaw allows a malicious explorer.exe to be executed if an attacker controls the process working directory, potentially leading to arbitrary code execution in the context of the running Notepad++ application. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high impact with local access required.

A local attacker with low privileges can exploit this vulnerability by placing a malicious explorer.exe in a controllable working directory, such as through social engineering or by influencing the application's current directory. Exploitation requires user interaction, such as the victim launching a specific feature in Notepad++ that triggers the Explorer launch. Successful exploitation enables arbitrary code execution with the privileges of the Notepad++ process, potentially compromising the user's session.

The Notepad++ security advisory (GHSA-rjvm-fcxw-2jxq) and release notes for version 8.9.2 confirm that updating to v8.9.2 resolves the issue by addressing the unsafe path handling. Security practitioners should recommend immediate upgrades for affected installations, as detailed in the GitHub release (v8.9.2) and official news announcement.

EU & UK References

Vulnerability details

Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an…

more

attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application. Version 8.9.2 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Why these techniques?

Unsafe search path (no absolute path for explorer.exe) with attacker-controlled working directory directly enables search order hijacking for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15556Same product: Notepad-Plus-Plus Notepad\+\+
CVE-2026-25880Shared CWE-426
CVE-2025-27167Shared CWE-426
CVE-2026-32009Shared CWE-426
CVE-2025-1068Shared CWE-426
CVE-2026-21280Shared CWE-426
CVE-2026-30906Shared CWE-426
CVE-2026-23512Shared CWE-426
CVE-2022-4987Shared CWE-426
CVE-2025-21399Shared CWE-426

Affected Assets

notepad-plus-plus
notepad\+\+
≤ 8.9.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (v8.9.2) that replaces the relative explorer.exe search with an absolute path, eliminating the CWE-426 vector.

prevent

Requires cryptographic or integrity verification of executables and libraries before they are loaded, blocking a malicious explorer.exe placed in a controlled working directory.

prevent

Limits Notepad++ to the minimum privileges needed, reducing the impact of arbitrary code execution even if the unsafe search path is successfully exploited.

References