Notepad++ < 8.9.7 Multiple Vulnerabilities

high Nessus Plugin ID 327203

Synopsis

A text editor on the remote Windows host is affected by multiple vulnerabilities.

Description

The version of Notepad++ installed on the remote host is prior to 8.9.7. It is, therefore, affected by multiple vulnerabilities:

- A security bypass vulnerability exists in session.xml backupFilePath handling due to an incomplete starts_with check. An attacker could exploit this to bypass path validation controls. (CVE-2026-52886)

- A stack buffer overflow vulnerability exists in the expandNppEnvironmentStrs function. An attacker could exploit this to execute arbitrary code. (CVE-2026-54758)

- A zip slip (path traversal) vulnerability exists that allows an attacker to write files outside the intended directory when extracting archive contents. (CVE-2026-57233)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Notepad++ version 8.9.7 or later.

See Also

https://notepad-plus-plus.org/news/v897-slava-ukraini/

Plugin Details

Severity: High

ID: 327203

File Name: notepad_plus_plus_8_9_7.nasl

Version: 1.2

Type: Local

Agent: windows

Family: Windows

Published: 7/16/2026

Updated: 7/17/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-54758

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:notepad-plus-plus:notepad%5c%2b%5c%2b

Required KB Items: installed_sw/Notepad++, SMB/Registry/Enumerated

Exploit Ease: No known exploits are available

Patch Publication Date: 7/14/2026

Vulnerability Publication Date: 7/14/2026

Reference Information

CVE: CVE-2026-52886, CVE-2026-54758, CVE-2026-57233