Critical Notepad++ Vulnerability Enables Arbitrary Code Execution

Notepad++ released an emergency patch (v8.9.6.1) addressing three vulnerabilities (CVE-2026-48770, CVE-2026-48778, CVE-2026-48800), including two critical arbitrary-code-execution flaws in config.xml and shortcuts.xml that allow an attacker to substitute a malicious command interpreter without elevated privileges; users running v8.9.6 or earlier are urged to update immediately. Exploitation vectors include direct config file modification, malicious .lnk files that change the settings directory, cloud-sync poisoning, and social engineering; developers are advised to implement interpreter allowlisting, validate executable paths, and add user confirmation dialogs.