Overview
CVE-2026-52884 is a high-severity (CVSS 7.8) path traversal vulnerability in Notepad++, the popular open-source text editor for Windows. The flaw exists in the isInTrustedDirectory() function, which is responsible for verifying that loaded plugins reside in a trusted installation directory before execution. By crafting a plugin path that includes directory traversal sequences, an attacker can make a malicious plugin appear to be within a trusted directory, bypassing the security check.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-52884 |
| CVSS Score | 7.8 (High) |
| Affected Software | Notepad++ v8.9.6.1 and earlier |
| Disclosure Date | 2026-06-26 |
| CWE | CWE-22 (Path Traversal) |
| Platform | Windows |
Vulnerability Details
Notepad++ implements a trusted directory check to prevent loading of untrusted or unsigned plugins from arbitrary filesystem locations. In version 8.9.6.1, the isInTrustedDirectory() function uses a prefix-based string comparison (PathIsPrefix() or equivalent) rather than first canonicalizing the path.
This means a path like:
C:\Program Files\Notepad++\plugins\..\..\Users\attacker\malicious.dll
passes the prefix check (it starts with the trusted directory string C:\Program Files\Notepad++\plugins\) while the actual resolved path after traversal points to an entirely different location controlled by the attacker.
Root Cause
// Vulnerable pattern (simplified)
bool isInTrustedDirectory(const wstring& pluginPath) {
// BUG: path is NOT canonicalized before prefix check
return PathIsPrefix(trustedDir.c_str(), pluginPath.c_str());
}
// Safe pattern
bool isInTrustedDirectory(const wstring& pluginPath) {
wchar_t canonicalized[MAX_PATH];
PathCanonicalize(canonicalized, pluginPath.c_str()); // resolve ..\
return PathIsPrefix(trustedDir.c_str(), canonicalized);
}The fix requires calling PathCanonicalize() (or GetFullPathName()) on the plugin path before performing the prefix comparison.
Attack Scenario
- Attacker places a malicious DLL at a user-writable path on the system (e.g.,
C:\Users\victim\AppData\Roaming\evil.dll) - Crafts a path that traverses from a trusted Notepad++ directory to the malicious DLL location using
..\..\sequences - Delivers the crafted path via a malicious Notepad++ config file, a compromised plugin manager entry, or a crafted shortcut/association
- Notepad++ loads the DLL believing it is within the trusted plugin directory
- DLL executes with the privileges of the Notepad++ process
This attack is local — it requires the ability to place a file on the target system and influence the plugin path Notepad++ attempts to load. It is typically exploited as a privilege escalation step or persistence mechanism after initial compromise, hence the CVSS 7.8 (High) score rather than Critical.
Affected Versions
All Notepad++ versions up to and including v8.9.6.1 on Windows are affected. The vulnerability exists wherever the trusted directory plugin loading check is performed.
Remediation
Monitor the Notepad++ GitHub releases for a patched version addressing CVE-2026-52884. In the meantime:
- Keep Notepad++ updated to the latest available release as soon as a patch is published
- Restrict write access to Notepad++ plugin directories to prevent unauthorized DLL placement
- Enable application control policies (Windows Defender Application Control / AppLocker) to block DLL loading from user-writable paths
- Audit plugin directories for unexpected or unsigned DLLs
# List DLLs in Notepad++ plugin directories and check signatures
Get-ChildItem "C:\Program Files\Notepad++\plugins\" -Recurse -Filter "*.dll" |
ForEach-Object {
$sig = Get-AuthenticodeSignature $_.FullName
[PSCustomObject]@{
File = $_.Name
Status = $sig.Status
Signer = $sig.SignerCertificate.Subject
}
} | Format-Table -AutoSizeContext: Notepad++ Plugin Security Model
Notepad++ loads plugins as native Windows DLLs that run with full process privileges. The trusted directory check exists to prevent plugin hijacking — a common Windows attack vector where attackers plant malicious DLLs in paths that get loaded by legitimate applications. This vulnerability undermines that protection, making the trusted directory check effectively bypassable with a crafted path.