CVE-2026-4546
Published: 22 March 2026
Summary
CVE-2026-4546 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Flos-Freeware Notepad2. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14303
Vulnerability details
A weakness has been identified in Flos Freeware Notepad2 4.2.25. This impacts an unknown function in the library TextShaping.dll. Executing a manipulation can lead to uncontrolled search path. The attack is restricted to local execution. The attack requires a high…
more
level of complexity. The exploitability is said to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct uncontrolled search path (CWE-426/427) in TextShaping.dll enables DLL Search Order Hijacking (T1038) via local placement of a malicious DLL.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.