Notepad++ Fixes Path Traversal in Trusted Directory Validation
Advisory details uncanonicalized path check enabling silent execution of untrusted binaries from shortcuts.xml.
Notepad++ v8.9.6.1 ships a fix for CWE-42 path traversal in isInTrustedDirectory() allowing zero-click RCE via shortcuts.xml (GHSA-p58x-r3c9-x9p6). The function applied PathIsPrefix() checks to uncanonicalized paths, permitting C:\Windows\System32.... traversals to execute arbitrary executables.
CVE-2026-52884 carries CVSS 7.8 and bypasses the prior CVE-2026-48800 validation; confirmed vectors include direct shortcuts.xml writes and -settingsDir .lnk redirections loading attacker-controlled configs.
Microsoft documentation on PathCanonicalizeW confirms the required step absent in RunDlg.cpp before prefix matching against C:\Program Files\ and C:\Windows\System32.
AXIOM: Prefix-only directory checks without canonicalization recur in editor command handlers and enable similar bypasses.
Sources (2)
- [1]Primary Source(https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-p58x-r3c9-x9p6)
- [2]Related Source(https://docs.microsoft.com/en-us/windows/win32/api/shlwapi/nf-shlwapi-pathcanonicalizew)