Notepad++ Zero-Click RCE via Path Traversal (CVE-2026-52884)
Summary
CVE-2026-52884 describes a zero-click remote code execution vulnerability in Notepad++ via path traversal, affecting users on Windows.
View Cached Full Text
Cached at: 06/10/26, 11:43 AM
notepad-plus-plus/notepad-plus-plus
Source: https://github.com/notepad-plus-plus/notepad-plus-plus
What is Notepad++ ?
Notepad++ is a free (free as in both “free speech” and “free beer”) source code editor and Notepad replacement that supports several programming languages and natural languages. Running in the MS Windows environment, its use is governed by GPL License.
See the Notepad++ official site for more information.
Notepad++ GPG Release Key
Since the release of version 7.6.5 Notepad++ is signed using GPG with the following key:
- Signer: Notepad++
- E-mail: [email protected]
- Key ID: 0x8D84F46E
- Key fingerprint: 14BC E436 2749 B2B5 1F8C 7122 6C42 9F1D 8D84 F46E
- Key type: RSA 4096/4096
- Created: 2019-03-11
- Expires: 2027-03-13
https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/nppGpgPub.asc
Supported OS
All the Windows systems still supported by Microsoft are supported by Notepad++. However, not all Notepad++ users can or want to use the newest system. Here is the Supported systems information you may need in case you are one of them.
Build Notepad++
Please follow build guide to build Notepad++ from source.
Contribution
Contributions are welcome. Be mindful of our Contribution Rules to increase the likelihood of your contribution getting accepted.
Similar Articles
CVE-2026-46529: 10-year-old RCE in Linux PDF Viewer (XReader/Evince/Atril)
A security researcher discovered CVE-2026-46529, a 10-year-old remote code execution vulnerability in Linux PDF viewers XReader, Evince, and Atril, caused by insufficient argument quoting when spawning child processes to open remote document links.
CVE-2026-40369: Arbitrary Kernel Address Increment via NtQuerySystemInformation
CVE-2026-40369 describes a vulnerability in Windows kernel's NtQuerySystemInformation function that allows arbitrary kernel address increment, enabling privilege escalation from unprivileged processes including Chrome sandbox. The exploit is deterministic on Windows 11 24H2-25H2.
Full Disclosure: 1-Click GitHub Token Stealing via a VSCode Bug
A security researcher discloses a critical vulnerability in VSCode's webview that allows attackers to steal full-access GitHub OAuth tokens by luring users to click a link. The bug affects the github.dev web editor.
Just found a 1-click RCE in pewdiepie's Odysseus Chat
A researcher discovered a 1-click remote code execution vulnerability in PewDiePie's Odysseus Chat and is submitting a PR to fix it.
Longinus: 2 Boundaries in One Bug, Piercing Chrome’s Renderer and V8 Sandbox with a Single Vulnerability, CVE-2026-6307
A single vulnerability in Chrome's V8 JIT compiler, CVE-2026-6307, allows attackers to gain arbitrary read/write primitives within the V8 sandbox and escape it to achieve remote code execution, affecting Chrome versions since 106.