June 10, 2026
Ctrl+Alt+Del the hype?
Notepad++ Zero-Click RCE via Path Traversal (CVE-2026-52884)
A “silent launch” bug sparks a comment war over whether this is scary or just overhyped
TLDR: A flaw in Notepad++ can let disguised file paths launch programs without the app’s normal warning, which matters because it weakens a safety feature users rely on. But the comment section is split between calling it an embarrassing basic mistake and mocking the “zero-click” label as overdramatic.
Notepad++ has landed in a fresh security mess after researchers showed a way to make the app launch programs without popping its usual warning. In plain English: a path can be dressed up to look safe because it starts with a trusted Windows folder, even though it actually leads somewhere else. That means a sneaky command hidden in Notepad++ settings could run something nasty in the background. Security folks call that a big deal. The comments? Absolute food fight.
The loudest reaction was pure exasperation. One commenter compared the bug to someone who can only follow the LEGO instruction booklet and never thinks to test the obvious “what if I go outside the lines?” case. Ouch. But the real drama came from people dragging the “zero-click” label. Several readers flat-out said the name is doing way too much work, arguing that if an attacker can already change your settings file or trick you into opening a malicious shortcut, the hard part is basically over. In other words: yes, the safety check is broken, but is this really the cyber-doom headline it sounds like?
Then came the side-quest chaos: one commenter accused another post of sounding suspiciously machine-written, because apparently even a bug thread can turn into an “is this AI?” brawl. So while the technical fix seems straightforward—check the real final path, not the costume—the community verdict is split between “embarrassing miss” and “oversold panic.” Either way, Notepad++ just got roasted from every angle.
Key Points
- •The article describes a reported vulnerability in Notepad++ v8.9.6.1 that can bypass trusted-directory validation and enable arbitrary code execution without a warning dialog.
- •It says the bypass affects the CVE-2026-48800 mitigation because `isInTrustedDirectory()` performs a prefix-based check without canonicalizing the path first.
- •A path such as `C:\Windows\System32\..\..\Users\[USERNAME]\Downloads\mimikatz.exe` is presented as resolving to an untrusted location while still passing the trusted-directory check.
- •The article also claims trusted executables such as `cmd.exe`, `powershell.exe`, and `rundll32.exe` can be used as launchers from `shortcuts.xml` without triggering a security prompt.
- •The proposed fix is to canonicalize paths with APIs such as `PathCanonicalize()` or `GetFullPathNameW()` before checking whether they reside in trusted directories.