Vulnerability in Notepad-plus-plus

CVE-2026-52885

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-me…

Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)