Arbitrary Code Execution in Notepad++ config.xml commandLineInterpreter

Small standalone Windows C++ proof-of-concept repository with 2 files: one exploit source file and one README. The exploit is a local file-based RCE enabler for Notepad++ tied to CVE-2026-48778. Its workflow is straightforward: print banner/help, read a single payload argument, resolve %APPDATA%, derive %APPDATA%\Notepad++\config.xml and a backup path, copy the original config to config.xml.backup, then overwrite config.xml with attacker-controlled XML containing a GUIConfig named commandLineInterpreter. The payload is not a shellcode or network stager; it is simply a command string embedded into the XML. After modification, the user must manually trigger the vulnerable Notepad++ feature ('Open Containing Folder in cmd') for execution. No network communication, C2, persistence beyond config tampering, privilege escalation, or stealth features are present. This is a real exploit/POC rather than a detector, and its structure/purpose is to demonstrate local code execution by abusing Notepad++ configuration handling on affected Windows versions.

This repository is a small standalone local proof-of-concept for CVE-2026-48778 affecting Notepad++ on Windows. It contains two files: a README describing the issue and usage, and a single Python exploit script. The script does not perform remote exploitation; instead, it abuses a local configuration weakness by locating %APPDATA%\Notepad++\config.xml, reading the XML contents, and replacing or inserting the GUIConfig entry named commandLineInterpreter with calc.exe. After the file is modified, the user is instructed to open Notepad++ and trigger File -> Open Containing Folder -> cmd, at which point calc.exe launches instead of the normal command interpreter. The exploit capability is therefore arbitrary code execution via configuration hijacking, but only in a local context with write access to the victim user's Notepad++ config file and a vulnerable Notepad++ version installed. The payload is hardcoded and basic, making this an operational PoC rather than a weaponized exploit. No networking, persistence, privilege escalation, or exfiltration behavior is present.

This repository is a small standalone PoC collection for three local vulnerabilities affecting Notepad++ <= 8.9.6 on Windows. It contains 7 files total: a README, two XML payload samples, one PowerShell crash PoC, and three Python PoCs. The code is not part of a larger exploit framework. Repository structure and purpose: - README.md documents the three CVEs, prerequisites, trigger conditions, and usage examples. - poc_CVE-2026-48770.py and payloads/poc_CVE-2026-48770.ps1 implement the same local crash technique in Python and PowerShell. - poc_CVE-2026-48778.py generates or restores a malicious config.xml for command execution. - poc_CVE-2026-48800.py generates or restores a malicious shortcuts.xml for command execution. - payloads/config.xml and payloads/shortcuts.xml are ready-made drop-in XML payloads. Main exploit capabilities: 1. CVE-2026-48770: local denial-of-service/crash. The PoC locates the Notepad++ window and sends a crafted WM_COPYDATA message with dwData=3 and a non-NUL-terminated 8192-byte buffer, aiming to trigger an out-of-bounds read and crash the process. 2. CVE-2026-48778: local code execution via configuration injection. The script writes a malicious %APPDATA%\Notepad++\config.xml or a temporary config.xml for use with -settingsDir. It sets GUIConfig name="commandLineInterpreter" to an attacker-chosen executable. When the user selects File -> Open Containing Folder -> cmd, Notepad++ launches that executable. 3. CVE-2026-48800: local code execution via shortcuts injection. The script writes a malicious %APPDATA%\Notepad++\shortcuts.xml or a temporary shortcuts.xml for use with -settingsDir. It adds a UserDefinedCommands entry whose text is an attacker-chosen executable. After restart, the victim can trigger execution from the Run menu. Operational characteristics: - The RCE PoCs support direct overwrite and restore workflows, including automatic backup creation (.bak). - Both RCE PoCs also support a settingsdir mode that avoids modifying the real AppData directory by preparing a temporary settings directory and printing a launch command for notepad++.exe -settingsDir=<tmpdir>. - Payloads are basic and customizable through command-line arguments, making the repository more than a pure detection script but still a straightforward PoC/operational local exploit set. No external network infrastructure, C2, or remote endpoints are used. The exploit surface is entirely local: Windows messaging and local Notepad++ configuration files.