Cyber Resilience

CVE-2026-4545

HighLPE

Published: 22 March 2026

Published
22 March 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 2.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4545 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Flos-Freeware Notepad2. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Flos Freeware Notepad2 4.2.25. This affects an unknown function in the library PROPSYS.dll. Performing a manipulation results in uncontrolled search path. The attack is only possible with local access. The attack is considered…

more

to have high complexity. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
Why these techniques?

Direct match to uncontrolled search path (CWE-426/427) enabling malicious DLL loading via search order hijacking.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

flos-freeware
notepad2
4.2.25

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References