Notepad++ Patches High-Severity RCE Flaws in Version 8.9.6.1

Notepad++ released version 8.9.6.1 to patch multiple security vulnerabilities — most critically CVE-2026-48778, an OS command injection in processing config.xml that can lead to remote code execution when users trigger the “Open Containing Folder in cmd” feature. Researchers demonstrated a proof-of-concept and recommend immediate updates and defensive measures to mitigate exploitation paths such as modified AppData config files, crafted shortcuts, and cloud-synced configuration poisoning.