Notepad++ XML File Risk

Brendan Smith
Brendan Smith - Cybersecurity Analyst
9 Min Read
Notepad++ XML configuration file risk with a warning to patch the editor.
Notepad++ configuration file risk fixed in version 8.9.6.1.

Notepad++ users should update to version 8.9.6.1 or newer if they use the editor on Windows for scripts, logs, project files, or downloaded archives. The May 2026 Notepad++ security release fixed two high-severity arbitrary code execution issues tied to config.xml and shortcuts.xml, plus a separate crash bug. The realistic risk is not a remote drive-by exploit: an attacker first needs a way to place or redirect Notepad++ to poisoned settings, then the victim has to trigger the affected command path. That still matters because the affected files live in normal user configuration locations and can blend into trusted editor behavior.

The safest response is simple: install the official Notepad++ update, distrust shortcuts or archives that launch Notepad++ with unusual settings, and inspect the user configuration folder if the editor recently behaved strangely. If a suspicious archive, shortcut, plugin bundle, or synced profile was involved, treat the machine as potentially exposed and run a malware scan before reusing saved credentials or scripts.

What Was Fixed In Notepad++ 8.9.6.1?

The official Notepad++ release note says version 8.9.6.1 fixes three vulnerabilities: a malformed-structure crash, arbitrary code execution through config.xml, and arbitrary code execution through shortcuts.xml.[1] The two code execution advisories are tracked as CVE-2026-48778 and CVE-2026-48800.

Issue Practical meaning
CVE-2026-48778 A poisoned commandLineInterpreter value in config.xml can replace the command that Notepad++ runs when a user opens the containing folder in a command prompt.[2]
CVE-2026-48800 A poisoned Run menu command in shortcuts.xml can appear as a normal user-defined command and launch an attacker-chosen executable when clicked.[3]
Affected versions GitHub advisories list Notepad++ versions up to and including 8.9.6 as affected, with 8.9.6.1 as the patched version.[2]

Both flaws are local-command execution paths. They are dangerous when combined with malware, a malicious .lnk file, a shared settings folder, a poisoned cloud-synced profile, or a social-engineered archive that changes which configuration directory Notepad++ uses. That makes the issue more relevant to developers, admins, support teams, and power users than to someone who only opens plain text files from trusted folders.

How The XML Files Become A Risk

Notepad++ stores many user preferences and commands in XML files. The user manual explains that normal installs use the %AppData%Notepad++ hierarchy, while portable or redirected setups can use other configuration locations.[4] That flexibility is useful, but it also means a malicious settings directory can matter as much as a malicious executable.

In the config.xml case, the affected setting controls the command-line interpreter used by the “Open Containing Folder in cmd” action. In the shortcuts.xml case, the dangerous entry sits under user-defined Run menu commands. The user may see a harmless-looking menu item such as “System Update Check” or “Build Project” even though the command behind it points to an attacker-controlled binary or script.

Who Should Act First?

  • Anyone running Notepad++ 8.9.6 or older on Windows.
  • Users who open code, logs, scripts, or archives from Discord, GitHub issues, email attachments, forums, freelance handoffs, or shared drives.
  • Admins who deploy Notepad++ as a standard support or developer tool.
  • People who use portable Notepad++ builds, cloud settings, custom -settingsDir shortcuts, or shared profile folders.
  • Users who recently saw new Run menu items, strange command prompts, unexpected child processes, or antivirus alerts after launching Notepad++.

How To Check Your Notepad++ Version

  1. Open Notepad++.
  2. Select ? or Help, then About Notepad++.
  3. If the version is 8.9.6 or older, update from the official Notepad++ website or your managed software portal.
  4. After updating, close all Notepad++ windows and reopen the editor so the patched executable is the one in use.

For managed fleets, do not rely only on the installed program list. Portable copies and manually extracted builds may sit in user folders, developer tool directories, or old project archives. Inventory common paths such as Downloads, Desktop, developer tool folders, and portable app directories when the user has admin or developer workflows.

What To Inspect If You Opened A Suspicious Archive Or Shortcut

If the only issue is an old Notepad++ version, updating is enough. If the warning came after opening an unknown archive, project handoff, plugin bundle, or shortcut, check for configuration tampering as well.

  1. Close every Notepad++ window.
  2. Inspect %AppData%Notepad++config.xml for unusual commandLineInterpreter values.
  3. Inspect %AppData%Notepad++shortcuts.xml for unexpected UserDefinedCommands, especially names that look like update checks, build steps, helper tools, or project launchers.
  4. Check any shortcut that launches Notepad++. Be suspicious of -settingsDir= pointing to a project, archive extraction folder, cloud-sync path, or unfamiliar directory.
  5. Look in Task Manager, Startup Apps, Task Scheduler, and browser downloads for files created around the same time.
  6. If you find suspicious commands or executables, disconnect the machine from risky accounts, preserve the files for review, and scan the system before continuing work.

Gridinsoft Anti-Malware can help with the endpoint side of that response: scan the downloaded archive, the referenced executable, and the affected Windows profile for trojans, loaders, unwanted startup entries, and persistence left by the same incident. The vulnerability patch stops the Notepad++ execution path; it does not automatically remove a payload that already ran.

Run a full system scan after removal.

After uninstalling the suspicious app or deleting the threat, scan all drives to catch hidden folders, startup entries, and bundled files.

Download Anti-Malware

Should You Delete config.xml Or shortcuts.xml?

Do not delete configuration files as the first step on a production or developer workstation. Back them up first, update Notepad++, and compare suspicious entries with a clean profile or a known-good portable copy. The Notepad++ manual notes that some configuration files can be recreated when missing, but deleting them can also remove legitimate shortcuts, macros, and preferences.[4]

If you confirm tampering, save a copy for incident review, remove the suspicious command entries, restart Notepad++, and verify that the Run menu and “Open Containing Folder in cmd” behavior are normal. In a business environment, reimage or reset the profile if the same user account also shows malware, credential theft, or repeated unauthorized changes.

How To Reduce The Risk Going Forward

  • Keep Notepad++ and other developer tools updated through a trusted source.
  • Do not launch Notepad++ from random .lnk files inside archives or project folders.
  • Treat shared editor settings as code when they come from contractors, community posts, or unknown repositories.
  • Block or review user-writable software folders in business environments where attackers often hide tools.
  • Monitor Notepad++ child processes if your EDR supports parent/child process rules for developer tools.

FAQ

Is this a remote Notepad++ exploit?

No. The public advisories describe local execution paths that need poisoned configuration data and user interaction. The risk increases when an attacker can write to the Notepad++ settings folder, redirect settings with a shortcut, or trick the user into opening a prepared archive or project.

Is Notepad++ safe after the update?

Version 8.9.6.1 patches the reported config.xml and shortcuts.xml code execution flaws. If a suspicious command already ran before the update, you still need to scan the system and check for persistence or stolen credentials.

Do I need to uninstall Notepad++?

Most users do not need to uninstall it. Update to the patched version, avoid untrusted settings directories and shortcuts, and inspect the configuration files if there are signs of tampering.

References

  1. Notepad++ Project. “Notepad++ v8.9.6.1 release.” Notepad++ official website, published May 26, 2026, accessed June 1, 2026. https://notepad-plus-plus.org/news/v8961-released/
  2. Notepad++ Project. “Arbitrary Code Execution via commandLineInterpreter of config.xml.” GitHub Security Advisory GHSA-7hm3-wp5q-ccv9, published May 26, 2026, accessed June 1, 2026. https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9
  3. Notepad++ Project. “Arbitrary Code Execution via shortcuts.xml UserCommand Injection.” GitHub Security Advisory GHSA-3x3f-3j39-pj3v, published May 27, 2026, accessed June 1, 2026. https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-3x3f-3j39-pj3v
  4. Notepad++ User Manual. “Configuration Files Details.” Notepad++ User Manual, accessed June 1, 2026. https://www.npp-user-manual.org/docs/config-files/
End of support for Adobe Flash caused interruptions in the Chinese railway system
Fake Windows Update in Browser Deliver Aurora Stealer
Dangerous bug in WhatsApp could lead to disclosure of user data
GoTrim Malware Hacks WordPress Sites
Information Security Specialists Discovered a 0-day Vulnerability in Windows Search
TAGGED:
Share This Article
ByBrendan Smith
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Previous Article Fake OnlyFans leak checker scam warning with a trap hook and account cards. OnlyFans Leak Checker Scam: Fake Breach Panic and Malware Risk
Next Article Editorial poster showing pythonw.exe process inspection and network check. pythonw.exe: Malware or Safe?
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?