CVE-2025-15556
Notepad++ < 8.8.9 WinGUp Updater Lacks Update Integrity Verification
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- February 02, 2026
- Published Date
- February 03, 2026
- Last Updated
- March 05, 2026
- Vendor
- notepad-plus-plus
- Product
- notepad-plus-plus
- Description
- Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
- Tags
- Exploitation
- active
- Technical Impact
- total
- Exploited in the Wild
- Yes (2026-06-01 10:50:56 UTC) Source
cisa
CVSS Scores
CVSS v4.0
7.7 - HIGH
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SSVC Information
Exploit Status
References
https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab
https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb
https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CVE | 2026-06-01 10:50:56 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel