Notepad++ version 8.9.6.1 now exposes a CVE-2026-52884 path‑traversal flaw that lets attackers launch code without user confirmation. The vulnerability sits under CWE‑42 and CWE‑59 and scores CVSS 7.8, a high‑risk rating that signals immediate concern for users. It bypasses the recent patch that added isInTrustedDirectory() checks, allowing traversal from trusted directories to arbitrary locations.

The patch in CVE‑2026‑48800 validated command paths but failed to canonicalize them. An attacker can craft shortcuts.xml entries like `C:WindowsSystem32....Users…mimikatz.exe`, which the program treats as trusted and runs silently, bypassing all security prompts. This bypass extends to trusted launchers such as cmd.exe, which can execute arbitrary commands without user interaction, demonstrating the flaw’s practical impact on everyday workflows.

An attacker gains access by writing to %APPDATA%\Notepad++\shortcuts.xml, or by exploiting cloud sync with OneDrive or Dropbox, or by launching Notepad++ with `-settingsDir=` pointing to a malicious share. Each vector permits silent execution of payloads such as mimikatz or disk formatting, underscoring the need for immediate mitigation. Patch deployment and user education should precede any other action.

Security teams should verify that the latest 8.9.6.1 build is installed and audit shortcuts.xml for suspicious entries. If an organization relies on shared configuration directories, restrict write access and disable the -settingsDir option. By applying these controls, administrators can neutralize the attack surface created by this path‑traversal flaw. Continuous monitoring will detect any future abuse.