CVE-2025-15556

High KEV CVSS: 7.7

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

Vendor

Notepad-plus-plus

Product

Notepad\+\+

CWE

CWE-494

Yayın Tarihi

2026-02-03 01:15:57

Güncelleme

2026-02-13 14:03:47

Source Identifier

disclosure@vulncheck.com

KEV Date Added

2026-02-12

Kategoriler

CWE-494 Notepad\+\+ HIGH Notepad-plus-plus 2026

Referanslar

https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb https://notepad-plus-plus.org/news/hijacked-incident-info-update/ https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification https://notepad-plus-plus.org//news//clarification-security-incident/ https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-15556