Notepad++ release 8.9.6.1

donho

Notepad++ release 8.9.6.1 is available:

https://notepad-plus-plus.org/news/v8961-released/

Notepad++ v8.9.6.1 vulnerability fixes:

1. Fix bad formed COPYDATASTRUCT makes Notepad++ crash (CVE-2026-48770).
2. Fix arbitrary code execution vulnerability via config.xml (CVE-2026-48778).
3. Fix arbitrary code execution vulnerability via shortcuts.xml (CVE-2026-48778).

Notepad++ v8.9.6. regression fixes, bug-fixes:

1. Fix vulnerability (CVE-2026-46710) of v8.9.4 & v8.9.5 installer. (Implement commit)
2. Fix x86 installer regression of not showing installation entry in “Unstall a program” of Control Panel. (Fix community discussion)
3. Fix x86 installer regression where context menu not installed or uninstalled correctly. (Fix community discussion)
4. Fix UAC prompt display regression (“Notepad++ installer” instead of “Notepad++”) for Notepad++ v8.9.5. (Fix GitHub comment)
5. Fix incorrect bevaviour when saving dirty read-only files. (Fix #17956)
6. Fix regression where saving a UDL file removed XML declaration. (Fix GitHub comment)

Notepad++ v8.9.5 regression fixes, bug-fixes & new improvements:

1. Fix updating issue where using v8.9.4 32-bits installer creates duplicate “Uninstall a program” entries. (Fix #17979)
2. Fix v8.9.4 64-bits installer error message caused by MSIX on Win10. (Fix installer regression)
3. Fix regression in UDL xml file EOL parsing issue. (Fix #18022)
4. Update Scintilla to 5.6.2 & Lexilla to 5.4.9. (Implement #18011)
5. Add option to synchronize zoom level across views. (Fix #17862)
6. Fix MSI installer writting language info to HKCU instead of HKLM. (Fix MSI issue)
7. Fix imported UDLs not appearing in the language menu without restarting Notepad++. (Fix #17909)
8. Make “(?)” tooltip in preferences & Find in Files dialogs persitant & reduce display delay. (Fix #17995, #16961)
9. Fix visual glitch in Mark dialog when in reduced mode. (Fix #17983)

Notepad++ v8.9.4 crash-fixexs, bug-fixes & new improvements:

1. Fix crashes in FindInFiles when nativeLang.xml’s “find-result-hits” contains “%s”. (Fix #17960, CVE-2026-3008, CVE-2026-6539)
2. Fix drop-file crash when file path length reaches 259 characters. (Fix #17921)
3. Fix crash caused by undoing column editor bad input in virtual space. (Fix #17915)
4. Fix bad column editor input in reverse-direction column selection on virtual space. (Fix #17915)
5. Update to Scintilla 5.6.1 & Lexilla 5.4.8. (Fix #17920, #17864, #13522, #11746)
6. Fix EOL conversion to Windows format not working (Scintilla update related). (Fix #17920)
7. Fix rendering corruption in .bat files (Lexilla update related). (Fix #17864)
8. Fix quote escaping causing incorrect JSON syntax highlighting (Lexilla update related). (Fix #11746, #13522)
9. Fix MSI installation error due to context menu item registration. (Fix #17918)
10. Fix NSIS installation stalling caused by context menu registration issue. (Fix #17308, #17885)
11. Add NPP_LANG property to install a specific localization file for MSI. (Fix issue reported in comment)
12. Fix MSI installer display random Hexadecimal number as name on UAC. (Fix #17967)
13. Add version info into MSI file property (as value of “Comments”). (Fix #17803)
14. Fix minimized window not restoring in administrator mode. (Fix #17945)
15. Fix Unicode search mismatching ANSI character ‘?’. (Fix #17125)
16. Fix Column Editor regression with empty fields. (Fix #17912)
17. Fix floating dialog content not displaying in certain situations. (Fix #17563)
18. Fix visual glitch when toggling group view in Document List. (Fix #14285)
19. Support improved C++ 11 raw string literal handling. (Fix #17875)
20. Fix visual glitch in the Mark dialog. (Fix #16084, #17886)

For security reason, this version was released in a rush, without nofifying the community.

PeterJones

From what I can tell, based on quick experiments, deriving implications to what @donho said and the commits that fix those CVE:

2. Fix arbitrary code execution vulnerability via config.xml

• <GUIConfig name="commandLineInterpreter">"C:\path\with spaces\to\cli.exe"</GUIConfig> in config.xml will no longer do anything
• instead, there is a “open into PowerShell” alongside all the menus that have “open into cmd” (or similar phrasing for that command in the various menus and context menus)

3. Fix arbitrary code execution vulnerability via shortcuts.xml

• Any shortcuts that start with http: will be flagged, and you will be prompted to confirm every time.
• Any shortcuts that resolve to an executable location outside of the trusted locations (whether by relying on PATH, or by harcoding the path to the executable), will warn you every time you try to run that command. (Trusted locations include Program Files or Program Files (x86) or windows\system32 or windows\ directories).

:-(

I think the remediation to this one takes things too far. Not all compilers, interpreters, and helper programs live in the Program Files or Windows hiearchies (I personally have another location where I often install such things). And now you are going to ask me to confirm I want to run my external application every single time I try to run it, with no way to say “always allow” to that dialog. This will cause a major headache for anyone who, like me, intentionally runs things that don’t live in Program Files. That will not result in increased security: that will result in driving users away from Notepad++ if they can no longer use the automation features of the application.

For example, Strawberry Perl, the primary Perl interpreter installation for Windows, installs into c:\strawberry by default, and parts of its toolchain have problems if you install into a directory like c:\program files\ with spaces in the filename; there are lots of engineering tools I have used that have problems with spaces in the path as well; and since I also use the gcc that comes with Strawberry Perl, that means that both my Perl interpreter and my C/C++ compiler that I use from Notepad++ will ask me to confirm every time. I’m really not sure that’s a usable workflow for me. Am I not going to ever be able to upgrade beyond Notepad++ v8.9.6? If not, that will be unfortunate.

donho

Note:
For fixing arbitrary code execution vulnerability via config.xml, “commandLineInterpreter” was removed, but “PowerShell here” command has been added, so I don’t think it’ll be an issue, though users who use “commandLineInterpreter” should be notified.
However, we might have some complains for fixing arbitrary code execution vulnerability via shortcuts.xml, due to the security warning, if the binary is not located under one of the fowing loctions:

• C:\Program Files,
• C:\Program Files (x86)
• C:\Windows\System32
• C:\Windows

Unfortunately, I haven’t yet found a way to store the definate “Never show the confirmation dialog” safely. Please let me know if anyone here has some ideas.

donho

@PeterJones said:

:-(

How about an empty supressRunAlertDialog.xml besides of notepad++exe to suppress the warning dialog?

fml2

When installing the latest version (8.9.6.1) I get the following error which I’ve never seen before:

Does anybody have a clue about this?

donho

@fml2
Which installer did you use?

fml2

@donho The one I downloaded from the official web site https://notepad-plus-plus.org/downloads/v8.9.6.1/ (64 bit).

PeterJones

@donho said:

How about an empty supressRunAlertDialog.xml besides of notepad++exe to suppress the warning dialog?

I think that should work:

• in a normal install, that would be in the safe/UAC-protected Program Files hierarchy, so couldn’t be created by a malicious actor without UAC
• it would allow someone with admin privileges to make the executive decision to disable that safety feature

It could, in theory, be made more fine-grained – the XML could contain actual information, such as a list of “additional safe directories” (like Excel allows you to specify so that you can run VBA macros even if your file is in an alternate location), so your for-loop across the safe directories could include those from that file.

The empty file would obviously be easier to implement, but I would be fine with either solution. (And given how many CVE’s have been fixed in v8.9.4-v8.9.6.1, I don’t think my complaint about this one should prevent triggering auto-update, since I make do with existing until v8.9.7)

donho

@fml2 ,

The one I downloaded from the official web site https://notepad-plus-plus.org/downloads/v8.9.6.1/ (64 bit).

I know.
What I need to know as information is, x64 or x86? NSIS exe Installer or MSI?

donho

@PeterJones said:

It could, in theory, be made more fine-grained – the XML could contain actual information, such as a list of “additional safe directories” that Excel allows you to specify so that you can run VBA macros even if your file is in an alternate location, so your for-loop across the safe directories could include those from that file.

The empty file would obviously be easier to implement, but I would be fine with either solution. (And given how many CVE’s have been fixed in v8.9.4-v8.9.6.1, I don’t think my complaint about this one should prevent triggering auto-update, since I make do with existing until v8.9.7)

The empty XML file is not only easier to implement, but it is also the only viable solution IMO. I considered storing a list of user-validated commands, or even a simple boolean like “Never Alert Dialog” inside config.xml - but obviously config.xml is not in a protected directory, as described in CVE-2026-48778.

OTOH, supressRunAlertDialog.xml solves the issue - it can be placed by users with admin rights to restore the old behaviour back (no confirmation dialog), andwe can also include it in the installer (WITHOUT by default) so the previous behaviour can be restored during the installation - with the user’s awareness.

Sorry for breaking the old workflow - but I cannot simply ignore this vulnerability. The reporter will publish it in 3 months anyway, with or without a fix, and it is a valid issue.

PeterJones

@donho said:

the only viable solution IMO

It’s not the only viable solution. The exception list could go in suppressRunAlertDialog.xml in the Program Files directory – so the user with Admin/UAC could edit the list, but a normal user could not – and this is what I was trying to imply with my phrasing above, but apparently didn’t get that point across. There is zero difference in security between an empty suppressRunAlertDialog.xml in Program Files and a suppressRunAlertDialog.xml in Program files containing actual XML data with the list of files.

But as I said, I’d be fine with the simpler version.

fml2

@donho x64, installer (exe)