CVE-2026-25926

Published: Feb 18, 2026

Modified: Feb 19, 2026

PUBLISHED

CVSS v3.1

7.3

HIGH

Description

Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application. Version 8.9.2 patches the issue.

Vendor	Product	Versions
notepad-plus-plus	notepad-plus-plus	affected `< 8.9.2`

Weaknesses (CWE)

CWE-426

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-rjvm-fcxw-2jxq

x_refsource_CONFIRM

https://github.com/notepad-plus-plus/notepad-plus-plus/releases/tag/v8.9.2

x_refsource_MISC

https://notepad-plus-plus.org/news/v892-released

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-25926

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References