HIGHπŸ‡΅πŸ‡± Wersja polska

CVE-2026-46710

CVSS 7.5v4.0pub. 2026-06-26upd. 2026-06-29

Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installation contextMenu directory. If an attacker can pre-place a malicious powershell.exe in a user-writable custom installation directory, and a privileged user later runs the installer and selects that directory, the attacker-controlled executable is launched with the elevated privileges of the installer. This vulnerability is fixed in 8.9.6.

CVSS Vector
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Notepad Plus Plus Notepad\+\+

    APP
    Notepad-Plus-Plus
    8.9.4 – 8.9.6 (bez)
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2025-15556HIGH7.7⚠ KEVten sam produkt

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vul...

CVE-2026-48800HIGH7.8ten sam produkt

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content insid...

CVE-2026-48778HIGH7.8ten sam produkt

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInte...

CVE-2026-52884HIGH7.8ten sam produkt

Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonical...

CVE-2026-52885HIGH7.5ten sam produkt

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of t...

CVE-2026-46710 β€” Notepad-Plus-Plus β€” Notepad\+\+ β€” HIGH β€” CVSS 7.5 | CVEbaza.pl