• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Sq Magazine LogoSQ Magazine

Smarter Insights for a Fast-Moving Digital World

  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Sq Magazine Logo
  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Home » Cybersecurity

Notepad++ 8.9.7 Patches Five Security Vulnerabilities

Published on: July 15, 2026
Sofia Ramirez
Written By
Sofia Ramirez
Sofia Ramirez
Senior Tech Writer • 494 Articles
Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps reader...
LATEST POSTS:
Is WhatsApp Safe? Security and Privacy Risks Explained
Telegram’s t.me Domain Suspended Amid OFAC Sanctions Link
ShinyHunters Abuses Salesforce OAuth to Bypass MFA
Robert A. Lee
Reviewed By
Robert A. Lee
Robert A. Lee
Senior Editor • 408 Articles
Robert A. Lee is a journalist at SQ Magazine who unpacks the fast-moving worlds of gaming and internet trends. He tracks everything from maj...
LATEST POSTS:
Social Media Demographics by Platform Statistics 2026: A Definitive Guide
Amazon Music Statistics 2026: Subscribers, Share and Revenue
Document AI Statistics 2026: How Businesses Are Automating Paperwork
Notepad 8 9 7 Patches Five Security Vulnerabilities
As Featured In
The New York Times LogoForbes LogoWired LogoDeloitte LogoResearch.com Logo
Share on LinkedIn ChatGPT Perplexity Share on X Share on Facebook

Notepad++ published a security release on July 14, 2026, patching five vulnerabilities in its session-file handling, environment-string expansion, and built-in updater. Version 8.9.7, codenamed “Slava Ukraini,” fixes three CVE-tracked bugs and two more tracked only as GitHub Security Advisories (GHSA).

Quick Summary – TLDR:

  • Notepad++ shipped version 8.9.7, fixing five security vulnerabilities across config files, environment strings, and its update chain.
  • The most severe flaw, CVE-2026-54758, is a stack buffer overflow in the expandNppEnvironmentStrs function that could allow memory corruption or code execution.
  • CVE-2026-57233, a Zip Slip path-traversal bug in WinGUp, Notepad++’s auto-updater, could let a spoofed update package write files outside its intended folder.
  • Two more flaws touch session.xml and shortcuts.xml, the editor’s own configuration files, plus an install-time PowerShell command-injection issue in the installer.
  • Notepad++’s auto-updater is scheduled to push 8.9.7 to users automatically within two weeks if no regressions surface, per CyberPress’s security-desk coverage.

Notepad++ Ships v8.9.7 With Five Vulnerability Fixes

Notepad++, the free Windows text and code editor used by millions of Windows users, including developers and IT administrators, posted its v8.9.7 changelog directly on the project’s own site. Three of the five bugs carry a CVE identifier. The other two remain listed only as advisories according to GitHub, the platform hosting the project’s security advisory database.

Cybersecurity Attack data increasingly show attackers probing developer tooling rather than end users directly. This release fits that pattern closely: every one of the five bugs needs the editor to process something an attacker supplied, a session file, an archive, a macro config, or installer input.

That same framing shows up per GBHackers’ account of the disclosures, which ties the risk directly to Notepad++ processing a file an attacker controls rather than a flaw a user triggers on their own.

CVE / GHSA IDVulnerabilityAffected Component
CVE-2026-52886 (GHSA-rqfm-pw34-r7j6)session.xml backupFilePath starts_with bypassSession file handling
CVE-2026-54758 (GHSA-gv94-327x-2gc5)Stack buffer overflow in expandNppEnvironmentStrsEnvironment string expansion
CVE-2026-57233 (GHSA-hjxw-84rf-wg5r)Zip Slip (path traversal)WinGUp updater
Pending (GHSA-f4rj-vqq4-wvg4)shortcuts.xml macro HMAC bypassMacro integrity verification
Pending (GHSA-gp2r-262h-9hgf)PowerShell command injectionInstaller

The project’s own fix notes describe the session.xml repair in one line: Enhance loading session.xml security by normalizing the file paths. That single fix, plus a matching change to shortcuts.xml, turns two config files into what amounts to a path validation problem.

The Update Channel Becomes Part of the Attack Surface

Two of the five bugs sit inside the machinery Notepad++ uses to patch itself. A Zip Slip flaw in WinGUp lets a crafted ZIP file with “../” traversal entries write outside its intended extraction directory during an update, and if an attacker can intercept or spoof the update package, that flaw could enable code execution with the privileges of the updater process. A separate fix improves the robustness of a PowerShell command run during setup, closing a path where badly sanitized install time input could trigger unintended commands.

That combination is the sharper story. The tool millions of IT teams trust to deliver a fix automatically was, until this release, capable of carrying one instead, which argues for more scrutiny of auto-update trust in managed environments, not less. Security teams and IT administrators managing Notepad++ deployments should prioritize manual updates over automated rollouts, particularly where the editor runs with elevated privileges or handles sensitive configuration files.

Config Files Turn Into a Silent Attack Vector

session.xml and shortcuts.xml are plain configuration files anyone can open in a text editor, yet two patches exist because Notepad++ trusted them more than it should have. The shortcuts.xml macro HMAC bypass could let tampered macro definitions be accepted as legitimate, a risk that grows for teams that share or import Notepad++ settings across a roaming profile or a managed desktop image.

None of the 5 bugs fires on its own. Each needs an attacker supplied file, so exposure concentrates in workstations that open untrusted attachments, CI runners that invoke the editor on fetched files, and shared or managed desktops rather than an isolated single-user install.

Under the hood, the release also bumps Scintilla to 5.6.4, Lexilla to 5.5.1, and pugixml to v1.16, the parsing and rendering libraries Notepad++ builds on.

Newsletter
Don’t chase tech news. We track it for you.

One weekly briefing with the launches, AI developments, and breaches that matter. No filler.

SQ Magazine’s Takeaway

The headline bug is CVE-2026-54758‘s stack buffer overflow, but the more useful read is which two flaws sit in the update chain itself. A patch that fixes the updater is a different risk category from a patch that fixes a rendering library, because until it is applied, the update mechanism cannot be fully trusted to deliver itself safely.

That is not a reason to distrust Notepad++ specifically. It is a reason every managed environment should verify what an auto-updater actually does before assuming it will patch itself.

What’s Next: Notepad++’s auto-updater is scheduled to push 8.9.7 automatically within two weeks if no regressions surface, so IT teams on managed or elevated-privilege machines have a narrow window to push it manually rather than wait. Watch the project’s community forum for reported regressions, and treat any inbound session file, macro export, or installer package from outside official channels as untrusted until 8.9.7 is confirmed running.

This article has been reviewed and fact-checked by Robert A. Lee. SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Share ChatGPT Perplexity

References

  • Notepad++ v8.9.7 - Slava Ukraini (Official Release Notice)
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer


Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Openai S First Hardware Device Is Reportedly A Screenless Speaker
Artificial Intelligence

OpenAI’s First Hardware Device Is Reportedly a Screenless Speaker

Claude For Teachers Launched
Artificial Intelligence

Anthropic Gives Verified K-12 Teachers Free Claude Access

Kalshi S World Cup Odds In Chatgpt
Artificial Intelligence

OpenAI Shows Kalshi’s World Cup Odds in ChatGPT

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment Cancel reply

Primary Sidebar

Connect With Us

facebook x linkedin google-news telegram pinterest whatsapp email
google-preferred-source-badge Add as a preferred source on Google

You Should Also Read

Is WhatsApp Safe? Security and Privacy Risks Explained
Telegram’s t.me Domain Suspended Amid OFAC Sanctions Link
ShinyHunters Abuses Salesforce OAuth to Bypass MFA

Table of Contents

  • Quick Summary – TLDR:
  • Notepad++ Ships v8.9.7 With Five Vulnerability Fixes
  • The Update Channel Becomes Part of the Attack Surface
  • Config Files Turn Into a Silent Attack Vector
  • SQ Magazine’s Takeaway
Connect on Telegram

Footer

SQ Magazine Logo

Smarter Insights for a Fast-Moving Digital World

Connect With Us

Follow Us on Google News

Editorial & Trust

  • About
  • Publishing Principles
  • Fact-Check Policy
  • Corrections Policy
  • Ethics Policy
  • Disclaimer

Worth Checking

  • Social Media Attention Span Stats
  • Gen Z Social Media Statistics
  • TikTok vs. Instagram Statistics
  • LLM Hallucination Statistics
  • Spotify User Statistics
  • Apple Customer Loyalty Statistics
Contact Us
13570 Grove Dr #189,
Maple Grove, MN 55311,
United States
10 a.m. to 6 p.m. | Every day

Copyright © 2022–2026 SQ Magazine. All Rights Reserved. Powered by the Neural Stack.

  • Privacy Policy
  • Terms
  • Accessibility Statement
Company
  • About Us
  • Our Team
  • Our Mission
  • Core Values
Discover
  • Brand Assets
    Brand Assets
  • Stats Methodology
    Stats Research Process
  • Glossary
    Glossary
Categories
  • Internet
  • Technology
  • Artificial Intelligence
  • Gaming
  • Cybersecurity
Internet
Social Media Demographics By Platform
Social Media Demographics by Platform Statistics 2026: A Definitive Guide
Amazon Music Statistics
Amazon Music Statistics 2026: Subscribers, Share and Revenue
How Many People Use YouTube
How Many People Use YouTube 2026: Users by Country
How Many People Work At Amazon
How Many People Work At Amazon 2026: Headcount, Layoffs, Productivity
Hulu Statistics
Hulu Statistics 2026: Subscribers, Revenue and Market Share
Spotify vs Apple Music Statistics
Spotify vs Apple Music Statistics 2026: Subscribers, Revenue, Market Share
Technology
Google Cloud Platform Statistics
Google Cloud Platform Statistics 2026: Market Growth
Asana Statistics
Asana Statistics 2026: Revenue, Customers, AI ARR and Market Share
AWS Statistics
AWS Statistics 2026: Revenue, Market Share and AI Growth
Adobe Creative Cloud Statistics
Adobe Creative Cloud Statistics 2026: Subscribers, Revenue and Market Share
Adobe Statistics
Adobe Statistics 2026: Revenue, ARR, and Workforce Data
Employee Productivity Statistics
Employee Productivity Statistics 2026: Engagement, Costs & Trends
Artificial Intelligence
ChatGPT vs Claude vs Gemini vs Perplexity Statistics
ChatGPT vs Claude vs Gemini vs Perplexity Statistics 2026: Users, Revenue & Market Share
How Many People Work At Midjourney
How Many People Work At Midjourney 2026: Lean Team, Big Revenue
Grammarly AI Statistics
Grammarly AI Statistics 2026: Users, Revenue, Funding, Rebrand
Copilot Statistics
Copilot Statistics 2026: Users, Adoption, Revenue and Market Share
AI Image Generation Statistics
AI Image Generation Statistics 2026: Market Size, Adoption & Risks
Machine Learning Adoption
Machine Learning Adoption in 2026: What Businesses Need to Know
Gaming
Online Gambling Regulations Statistics
Online Gambling Regulations Statistics 2026: Global Compliance and Enforcement Data
Fantasy Sports Statistics
Fantasy Sports Statistics 2026: Users, Revenue & Trends
Apex Legends Statistics
Apex Legends Statistics 2026: Players, Revenue, and Esports
Fortnite Statistics
Fortnite Statistics 2026: Players, Revenue, Esports, and Engagement
Gamers Statistics
Gamers Statistics 2026: Players, Habits & Global Data
Minecraft Statistics
Minecraft Statistics 2026: 300 Million Copies Sold & 212M Monthly Players
Cybersecurity
Password Statistics
Password Statistics 2026: Credential Theft, MFA, and the Passkey Tipping Point
Identity Theft Statistics
Identity Theft Statistics 2026: Key Fraud Data and Trends
CVE Statistics
CVE Statistics 2026: Severity Distribution and Top Affected Vendors
Dark Web AI Tool Marketplace Statistics
Dark Web AI Tool Marketplace Statistics 2026: Explosive Market Growth
API Security Breach Statistics
API Security Breach Statistics 2026: Hidden Threats
AI Voice Cloning Fraud Statistics
AI Voice Cloning Fraud Statistics 2026: Alarming Trends You Must Know Now
Categories
  • Cybersecurity
  • Artificial Intelligence
  • Internet
  • Technology
  • Gaming
Cybersecurity
Notepad 8 9 7 Patches Five Security Vulnerabilities
Notepad++ 8.9.7 Patches Five Security Vulnerabilities
Telegram S T Me Domain Suspended Amid Ofac Sanctions Link
Telegram’s t.me Domain Suspended Amid OFAC Sanctions Link
Shinyhunters Abuses Salesforce Oauth To Bypass Mfa
ShinyHunters Abuses Salesforce OAuth to Bypass MFA
Lidl Confirmed Data Breach Of Online Store
Lidl Confirms Data Breach at Third-Party IT Provider
Ghostcommit Attack Hides Prompt Injection Inside Images
GhostCommit Attack Hides Prompt Injection Inside Images
Tangem Wallet Cards Vulnerable To Laser Fault Attack
Tangem Wallet Cards Vulnerable to Laser Fault Attack
Artificial Intelligence
Openai S First Hardware Device Is Reportedly A Screenless Speaker
OpenAI’s First Hardware Device Is Reportedly a Screenless Speaker
Claude For Teachers Launched
Anthropic Gives Verified K-12 Teachers Free Claude Access
Kalshi S World Cup Odds In Chatgpt
OpenAI Shows Kalshi’s World Cup Odds in ChatGPT
Anthropic Extends Claude Fable 5 Access Again
Anthropic Extends Claude Fable 5 Access Again
Openai Launches Chatgpt Work With Gpt 5 6 Agents
OpenAI Launches ChatGPT Work With GPT-5.6 Agents
Openai Shuts Down Standalone Atlas Browser
OpenAI Shuts Down Standalone Atlas Browser
Internet
Whatsapp Launches Username Reservation Feature
WhatsApp Opens Username Reservations for Its 3 Billion Users
Chrome 149 Update Fixes Serious Vulnerabilities
Google Chrome 149 Fixes 18 Serious Security Flaws
Meta Hands Whatsapp Reins To Cred Founder Kunal Shah
Meta Hands WhatsApp Reins to CRED Founder Kunal Shah
Major X Outage Disrupts Users Worldwide
Major X Outage Disrupts Users Worldwide, Service Restored
Meta Adds 13 Plus Age Verification For Teen Safety
Meta Adds 13+ Content Settings and AI Age Checks for Teens
Telegram Restricted In India Temporarily
Telegram Restricted in India as NEET Fraud Crackdown Grows
Technology
Apple S Foldable Iphone Ultra Battery Capacity Allegedly Leaks
Apple’s Foldable iPhone Ultra Battery Capacity Allegedly Leaks
Microsoft Lays Off 4800 Employees
Microsoft Cuts 4,800 Jobs, Resets Xbox Strategy
Chrome Update Fixes 382 Vulnerabilities
Chrome 150 Patches 382 Security Fixes, 15 Critical
Apple Leak Reveals Six New Iphones For 2027
Massive Apple Leak Reveals Six New iPhones for 2027
Google Finance Comes Out Of Beta With Android App
Google Finance Gets Major AI Upgrade and New Android App
Windows Recycle Bin Bug Confirmed After June Security Update
Windows Recycle Bin Bug Confirmed After June Security Update
Gaming
Gta Vi Official Cover Art
GTA 6 Pre-Orders Start June 25, New Cover Art Unveiled
Epic Games Teases Unreal Engine 6 For Rocket League
Epic Games Teases Unreal Engine 6 for Rocket League
Stardew Valley Launched For Nintendo Switch 2 Edition
Stardew Valley Switch 2 Edition Arrives with Online Co-op
Hogwarts Legacy Game Crosses 40m Downloads
Hogwarts Legacy Crosses 40M Sales, Beating Industry Giants
Pubg Black Budget Closed Alpha Launched
PUBG: Black Budget Launches Closed Alpha Test With a Bold PvPvE Twist
Counter Strike 2 Skin Market Crashes After Valve Update
Counter-Strike 2’s $5.9 Billion Skin Economy Just Got Shattered
Newsletter

Too much tech noise?

We respect your time. One high-signal briefing a week — tech, AI, and security. Nothing else.

Newsletter

The SQ Briefing

We track tech, AI, and security 24/7. You get a 5-minute weekly summary.