Home

Description

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

PUBLISHED Reserved 2026-02-02 | Published 2026-02-03 | Updated 2026-02-12 | Assigner VulnCheck




HIGH: 7.7CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA Known Exploited Vulnerability

Date added 2026-02-12 | Due date 2026-03-05

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-494 Download of Code Without Integrity Check

Product status

Default status
unaffected

Any version before 8.8.9
affected

Timeline

2025-12-09:Vulnerability is publicly disclosed
2026-02-02:Announcement of exploitation in the wild

References

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2025-15556 government-resource

notepad-plus-plus.org/...s//clarification-security-incident/ third-party-advisory

community.notepad-plus-plus.org/...-v8-8-9-vulnerability-fix release-notes patch

notepad-plus-plus.org/news/hijacked-incident-info-update/ vendor-advisory

github.com/...ommit/bcf2aa68ef414338d717e20e059459570ed6c5ab patch

github.com/...ommit/ce0037549995ed0396cc363544d14b3425614fdb patch

www.vulncheck.com/...ter-lacks-update-integrity-verification third-party-advisory

cve.org (CVE-2025-15556)

nvd.nist.gov (CVE-2025-15556)

Download JSON