Exploit Released for Windows Notepad Vulnerability
A proof-of-concept (PoC) exploit has been made public for a vulnerability in Windows Notepad that permits malicious command execution. The flaw utilizes command injection through manipulated file content. Security teams are advised to monitor for available patches and audit systems for any unusual use of the text editor.
- The vulnerability is officially tracked as CVE-2026-20841 and was discovered by researchers Cristian Papa, Alasdair Gorniak, and Chen. - It specifically affects the modern Microsoft Store version of Notepad on Windows 11, which supports Markdown rendering; the traditional `notepad.exe` is not vulnerable. - The exploit works by tricking a user into opening a specially crafted Markdown (.md) file and then Ctrl+clicking a malicious link. - This action can execute commands without the usual Windows security warnings because of improper validation of link protocols like `file://` or `ms-appinstaller://`. - Microsoft addressed the flaw in its February 2026 Patch Tuesday security updates. - The patched version of Notepad (11.2510 or later) now displays a warning prompt when a user clicks on non-HTTP/HTTPS links. - The vulnerability is rated as high-severity with a CVSS score of 7.8, allowing for remote code execution within the security context of the logged-in user. - This security issue arose after Microsoft added Markdown support to Notepad in 2025, a feature intended to modernize the basic text editor.
