---
title: "Notepad++ 8.9.7 Patches Five Security Vulnerabilities"
date: 2026-07-15
author: "Sofia Ramirez"
featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/07/notepad-8-9-7-patches-five-security-vulnerabilities.jpg"
categories:
  - name: "Cybersecurity"
    url: "/cybersecurity.md"
tags:
  - name: "News"
    url: "/tag/news.md"
---

# Notepad++ 8.9.7 Patches Five Security Vulnerabilities

Notepad++ published a security release on July 14, 2026, patching five vulnerabilities in its session-file handling, environment-string expansion, and built-in updater. Version 8.9.7, codenamed “Slava Ukraini,” fixes three CVE-tracked bugs and two more tracked only as GitHub Security Advisories (GHSA).

## Quick Summary – TLDR:

- Notepad++ shipped version 8.9.7, fixing five security vulnerabilities across config files, environment strings, and its update chain.
- The most severe flaw, CVE-2026-54758, is a stack buffer overflow in the expandNppEnvironmentStrs function that could allow memory corruption or code execution.
- CVE-2026-57233, a Zip Slip path-traversal bug in WinGUp, Notepad++’s auto-updater, could let a spoofed update package write files outside its intended folder.
- Two more flaws touch session.xml and shortcuts.xml, the editor’s own configuration files, plus an install-time PowerShell command-injection issue in the installer.
- Notepad++’s auto-updater is scheduled to push 8.9.7 to users automatically within two weeks if no regressions surface, per CyberPress’s security-desk coverage.

## Notepad++ Ships v8.9.7 With Five Vulnerability Fixes

Notepad++, the free Windows text and code editor used by millions of Windows users, including developers and IT administrators, posted its **v8.9.7** changelog directly on the project’s own site. Three of the five bugs carry a CVE identifier. The other two remain listed only as advisories according to GitHub, the platform hosting the project’s security advisory database.

[Cybersecurity Attack](https://sqmagazine.co.uk/cybersecurity-attacks-statistics/) data increasingly show attackers probing developer tooling rather than end users directly. This release fits that pattern closely: every one of the five bugs needs the editor to process something an attacker supplied, a session file, an archive, a macro config, or installer input.

That same framing shows up per GBHackers’ account of the disclosures, which ties the risk directly to Notepad++ processing a file an attacker controls rather than a flaw a user triggers on their own.

CVE / GHSA IDVulnerabilityAffected Component**CVE-2026-52886** (GHSA-rqfm-pw34-r7j6)session.xml backupFilePath starts\_with bypassSession file handling**CVE-2026-54758** (GHSA-gv94-327x-2gc5)Stack buffer overflow in expandNppEnvironmentStrsEnvironment string expansion**CVE-2026-57233** (GHSA-hjxw-84rf-wg5r)Zip Slip (path traversal)WinGUp updaterPending (GHSA-f4rj-vqq4-wvg4)shortcuts.xml macro HMAC bypassMacro integrity verificationPending (GHSA-gp2r-262h-9hgf)PowerShell command injectionInstallerThe project’s own fix notes describe the session.xml repair in one line: Enhance loading session.xml security by normalizing the file paths. That single fix, plus a matching change to shortcuts.xml, turns two config files into what amounts to a path validation problem.

## The Update Channel Becomes Part of the Attack Surface

Two of the five bugs sit inside the machinery **Notepad++** uses to patch itself. A Zip Slip flaw in WinGUp lets a crafted ZIP file with “**../**” traversal entries write outside its intended extraction directory during an update, and if an attacker can intercept or spoof the update package, that flaw could enable code execution with the privileges of the updater process. A separate fix improves the robustness of a PowerShell command run during setup, closing a path where badly sanitized install time input could trigger unintended commands.

That combination is the sharper story. The tool millions of IT teams trust to deliver a fix automatically was, until this release, capable of carrying one instead, which argues for more scrutiny of auto-update trust in managed environments, not less. Security teams and IT administrators managing Notepad++ deployments should prioritize manual updates over automated rollouts, particularly where the editor runs with elevated privileges or handles sensitive configuration files.

## Config Files Turn Into a Silent Attack Vector

**session.xml** and **shortcuts.xml** are plain configuration files anyone can open in a text editor, yet two patches exist because Notepad++ trusted them more than it should have. The **shortcuts.xml** macro HMAC bypass could let tampered macro definitions be accepted as legitimate, a risk that grows for teams that share or import Notepad++ settings across a roaming profile or a managed desktop image.

None of the **5** bugs fires on its own. Each needs an attacker supplied file, so exposure concentrates in workstations that open untrusted attachments, CI runners that invoke the editor on fetched files, and shared or managed desktops rather than an isolated single-user install.

Under the hood, the release also bumps **Scintilla** to 5.6.4, **Lexilla** to 5.5.1, and **pugixml** to v1.16, the parsing and rendering libraries Notepad++ builds on.

## SQ Magazine’s Takeaway

The headline bug is **CVE-2026-54758**‘s stack buffer overflow, but the more useful read is which two flaws sit in the update chain itself. A patch that fixes the updater is a different risk category from a patch that fixes a rendering library, because until it is applied, the update mechanism cannot be fully trusted to deliver itself safely.

That is not a reason to [distrust Notepad++ specifically](https://sqmagazine.co.uk/notepad-plus-plus-critical-bug-memory-leak/). It is a reason every managed environment should verify what an auto-updater actually does before assuming it will patch itself.

What’s Next: Notepad++’s auto-updater is scheduled to push 8.9.7 automatically within two weeks if no regressions surface, so IT teams on managed or elevated-privilege machines have a narrow window to push it manually rather than wait. Watch the project’s community forum for reported regressions, and treat any inbound session file, macro export, or installer package from outside official channels as untrusted until 8.9.7 is confirmed running.