Exploit Released for Windows Notepad Vulnerability
What happened
A proof-of-concept (PoC) exploit has been made public for a vulnerability in Windows Notepad that permits malicious command execution. The flaw utilizes command injection through manipulated file content. Security teams are advised to monitor for available patches and audit systems for any unusual use of the text editor.
Why it matters
- The vulnerability is officially tracked as CVE-2026-20841 and was discovered by researchers Cristian Papa, Alasdair Gorniak, and Chen. - It specifically affects the modern Microsoft Store version of Notepad on Windows 11, which supports Markdown rendering; the traditional `notepad.exe` is not vulnerable. - The exploit works by tricking a user into opening a specially crafted Markdown (.md) file and then Ctrl+clicking a malicious link. - This action can execute commands without the usual Windows security warnings because of improper validation of link protocols like `file://` or `ms-appinstaller://`. - Microsoft addressed the flaw in its February 2026 Patch Tuesday security updates. - The patched version of Notepad (11.2510 or later) now displays a warning prompt when a user clicks on non-HTTP/HTTPS links. - The vulnerability is rated as high-severity with a CVSS score of 7.8, allowing for remote code execution within the security context of the logged-in user. - This security issue arose after Microsoft added Markdown support to Notepad in 2025, a feature intended to modernize the basic text editor.
Key numbers
- - The vulnerability is officially tracked as CVE-2026-20841 and was discovered by researchers Cristian Papa, Alasdair Gorniak, and Chen.
- It specifically affects the modern Microsoft Store version of Notepad on Windows 11, which supports Markdown rendering; the traditional notepad.exe is not vulnerable.
- Microsoft addressed the flaw in its February 2026 Patch Tuesday security updates.
- The patched version of Notepad (11.2510 or later) now displays a warning prompt when a user clicks on non-HTTP/HTTPS links.
Quick answers
What happened in Exploit Released for Windows Notepad Vulnerability?
A proof-of-concept (PoC) exploit has been made public for a vulnerability in Windows Notepad that permits malicious command execution. The flaw utilizes command injection through manipulated file content. Security teams are advised to monitor for available patches and audit systems for any unusual use of the text editor.
Why does Exploit Released for Windows Notepad Vulnerability matter?
The vulnerability is officially tracked as CVE-2026-20841 and was discovered by researchers Cristian Papa, Alasdair Gorniak, and Chen. It specifically affects the modern Microsoft Store version of Notepad on Windows 11, which supports Markdown rendering; the traditional notepad.exe is not vulnerable. The exploit works by tricking a user into opening a specially crafted Markdown (.md) file and then Ctrl+clicking a malicious link. This action can execute commands without the usual Windows security warnings because of improper validation of link protocols like file:// or ms-appinstaller://. Microsoft addressed the flaw in its February 2026 Patch Tuesday security updates. The patched version of Notepad (11.2510 or later) now displays a warning prompt when a user clicks on non-HTTP/HTTPS links. The vulnerability is rated as high-severity with a CVSS score of 7.8, allowing for remote code execution within the security context of the logged-in user. This security issue arose after Microsoft added Markdown support to Notepad in 2025, a feature intended to modernize the basic text editor.
