Notepad++ Zero-Click Remote Code Execution Vulnerability Discovered in Latest Version
A critical path traversal vulnerability (CVE-2026-52884) was discovered in Notepad++ v8.9.6.1 that allows arbitrary code execution without user confirmation by bypassing the trusted directory validation. The flaw exists in the isInTrustedDirectory() function, which fails to canonicalize paths before checking if they reside in trusted directories, allowing attackers to use directory traversal sequences like ..\ to execute malicious code. This vulnerability is significant because it affects the latest patched version and can be exploited through modified configuration files or malicious shortcuts.
A zero-click remote code execution vulnerability has been identified in Notepad++ version 8.9.6.1, the latest patched release. The vulnerability (CVE-2026-52884) exploits a path traversal flaw in the isInTrustedDirectory() validation function introduced in a previous security patch (CVE-2026-48800). The function uses a prefix-based check without canonicalizing paths first, allowing attackers to bypass security checks by embedding directory traversal sequences (..\) within trusted directory paths. For example, a path like C:\Windows\System32\..\..\Users\[USERNAME]\Downloads\mimikatz.exe passes validation because it starts with the trusted C:\Windows\System32\ prefix, but resolves to an untrusted location. The vulnerability can be exploited through multiple vectors, including direct modification of the shortcuts.xml configuration file or via malicious .lnk files that redirect Notepad++ to load configuration from attacker-controlled locations. The recommended fix involves canonicalizing paths using functions like PathCanonicalize() or GetFullPathNameW() before performing the trusted directory check.
What's missing
The article does not indicate whether this vulnerability has been independently verified by security researchers outside the original discoverer, whether Notepad++ developers have acknowledged or responded to the report, or whether a patch has been released or is planned. Additionally, there is no information about the real-world exploitability or whether this vulnerability is being actively exploited in the wild.
What different sources said
- Hacker NewsCenter
Notepad++ Zero-Click RCE via Path Traversal (CVE-2026-52884)
Related
Potensic Atom 3 Drone Offers DJI Alternative for Global Markets, But Faces US Import Ban
Potensic has released the Atom 3, an upgraded beginner drone featuring a larger sensor, 4K 60fps video, improved battery life, and AI tracking capabilities at competitive pricing ($429.99-$549.99). The drone competes directly with DJI's Lito X1 but faces the same regulatory barriers as DJI in the US market due to a ban on foreign-made drones. The availability restrictions highlight ongoing US trade restrictions on Chinese drone manufacturers and limit consumer choice in the American market.
Wing and Walmart Expand Drone Delivery to Seven Additional U.S. Cities
Alphabet-owned Wing and Walmart are expanding their drone delivery partnership to seven new U.S. cities including Memphis, New Orleans, Philadelphia, Phoenix, San Diego, the San Francisco Bay Area, and Salt Lake City. The expansion is part of a plan to reach over 270 Walmart locations by next year, building on successful deployments in Atlanta, Dallas-Fort Worth, and Houston. The move signals that drone delivery is transitioning from a novelty service to a mainstream logistics option, with Wing having completed over 1 million commercial deliveries.
Anthropic CEO Calls for FAA-Style Regulation of Powerful AI Models
Anthropic CEO Dario Amodei published an essay calling for government regulation of powerful AI models, comparing the approach to FAA oversight of commercial aviation. The proposal includes mandatory third-party testing for frontier models and potential government authority to block or delay their deployment if they pose safety risks. The call comes as Anthropic released Claude Fable 5 and an updated Claude Mythos 5 model with advanced cybersecurity capabilities.