Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-52884: Notepad++ Trusted Directory Bypass via Path Traversal (CVSS 7.8)
CVE-2026-52884: Notepad++ Trusted Directory Bypass via Path Traversal (CVSS 7.8)
SECURITYHIGHCVE-2026-52884

CVE-2026-52884: Notepad++ Trusted Directory Bypass via Path Traversal (CVSS 7.8)

A path traversal flaw in Notepad++ v8.9.6.1 allows attackers to bypass the trusted directory plugin verification check using path sequences, potentially...

Dylan H.

Security Team

June 27, 2026
4 min read

Affected Products

  • Notepad++ v8.9.6.1 and earlier

Overview

CVE-2026-52884 is a high-severity (CVSS 7.8) path traversal vulnerability in Notepad++, the popular open-source text editor for Windows. The flaw exists in the isInTrustedDirectory() function, which is responsible for verifying that loaded plugins reside in a trusted installation directory before execution. By crafting a plugin path that includes directory traversal sequences, an attacker can make a malicious plugin appear to be within a trusted directory, bypassing the security check.

FieldDetails
CVE IDCVE-2026-52884
CVSS Score7.8 (High)
Affected SoftwareNotepad++ v8.9.6.1 and earlier
Disclosure Date2026-06-26
CWECWE-22 (Path Traversal)
PlatformWindows

Vulnerability Details

Notepad++ implements a trusted directory check to prevent loading of untrusted or unsigned plugins from arbitrary filesystem locations. In version 8.9.6.1, the isInTrustedDirectory() function uses a prefix-based string comparison (PathIsPrefix() or equivalent) rather than first canonicalizing the path.

This means a path like:

C:\Program Files\Notepad++\plugins\..\..\Users\attacker\malicious.dll

passes the prefix check (it starts with the trusted directory string C:\Program Files\Notepad++\plugins\) while the actual resolved path after traversal points to an entirely different location controlled by the attacker.

Root Cause

// Vulnerable pattern (simplified)
bool isInTrustedDirectory(const wstring& pluginPath) {
    // BUG: path is NOT canonicalized before prefix check
    return PathIsPrefix(trustedDir.c_str(), pluginPath.c_str());
}
 
// Safe pattern
bool isInTrustedDirectory(const wstring& pluginPath) {
    wchar_t canonicalized[MAX_PATH];
    PathCanonicalize(canonicalized, pluginPath.c_str());  // resolve ..\
    return PathIsPrefix(trustedDir.c_str(), canonicalized);
}

The fix requires calling PathCanonicalize() (or GetFullPathName()) on the plugin path before performing the prefix comparison.

Attack Scenario

  1. Attacker places a malicious DLL at a user-writable path on the system (e.g., C:\Users\victim\AppData\Roaming\evil.dll)
  2. Crafts a path that traverses from a trusted Notepad++ directory to the malicious DLL location using ..\..\ sequences
  3. Delivers the crafted path via a malicious Notepad++ config file, a compromised plugin manager entry, or a crafted shortcut/association
  4. Notepad++ loads the DLL believing it is within the trusted plugin directory
  5. DLL executes with the privileges of the Notepad++ process

This attack is local — it requires the ability to place a file on the target system and influence the plugin path Notepad++ attempts to load. It is typically exploited as a privilege escalation step or persistence mechanism after initial compromise, hence the CVSS 7.8 (High) score rather than Critical.

Affected Versions

All Notepad++ versions up to and including v8.9.6.1 on Windows are affected. The vulnerability exists wherever the trusted directory plugin loading check is performed.

Remediation

Monitor the Notepad++ GitHub releases for a patched version addressing CVE-2026-52884. In the meantime:

  1. Keep Notepad++ updated to the latest available release as soon as a patch is published
  2. Restrict write access to Notepad++ plugin directories to prevent unauthorized DLL placement
  3. Enable application control policies (Windows Defender Application Control / AppLocker) to block DLL loading from user-writable paths
  4. Audit plugin directories for unexpected or unsigned DLLs
# List DLLs in Notepad++ plugin directories and check signatures
Get-ChildItem "C:\Program Files\Notepad++\plugins\" -Recurse -Filter "*.dll" |
  ForEach-Object { 
    $sig = Get-AuthenticodeSignature $_.FullName
    [PSCustomObject]@{ 
      File = $_.Name
      Status = $sig.Status
      Signer = $sig.SignerCertificate.Subject
    }
  } | Format-Table -AutoSize

Context: Notepad++ Plugin Security Model

Notepad++ loads plugins as native Windows DLLs that run with full process privileges. The trusted directory check exists to prevent plugin hijacking — a common Windows attack vector where attackers plant malicious DLLs in paths that get loaded by legitimate applications. This vulnerability undermines that protection, making the trusted directory check effectively bypassable with a crafted path.

References

  • NVD Entry — CVE-2026-52884
  • Notepad++ GitHub Repository
  • CWE-22: Path Traversal
  • Microsoft PathCanonicalize documentation
#CVE#Vulnerability#Notepad++#Path Traversal#Windows#Plugin Security

Related Articles

CVE-2026-14198: Fastify Middie Middleware Path Bypass (CVSS 9.1)

Critical path bypass vulnerability in @fastify/middie versions 9.1.0 through 9.3.2 allows attackers to evade middleware protection by exploiting a %2F...

5 min read

CVE-2025-55017: Apache IoTDB Critical Path Traversal Vulnerability

Critical path traversal vulnerability (CVSS 9.1) in Apache IoTDB affects versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.5. Users must upgrade...

4 min read

CVE-2025-64152: Apache IoTDB Second Critical Path Traversal Flaw

A second critical path traversal vulnerability (CVSS 9.1) in Apache IoTDB affects versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.6. Patch to 1.3.6 or...

5 min read
Back to all Security Alerts