"The version 8.9.2 update incorporates what maintainer Don Ho calls a "double lock" design that aims to make the update process "robust and effectively unexploitable." This includes verification of the signed installer downloaded from GitHub (implemented in version 8.8.9 and later), as well as the newly added verification of the signed XML returned by the update server at notepad-plus-plus[.]org. In addition to these enhancements, security-focused changes have been introduced to WinGUp, the auto-updater component -"
"The update also addresses a high-severity vulnerability (CVE-2026-25926, CVSS score: 7.3) that could result in arbitrary code execution in the context of the running application. "An Unsafe Search Path vulnerability ( CWE-426) exists when launching Windows Explorer without an absolute executable path," Ho said. "This may allow execution of a malicious explorer.exe if an attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application.""
Notepad++ released version 8.9.2 to secure its update mechanism after a supply-chain compromise enabled targeted malicious updates. The release implements a "double lock" design: verification of the signed installer downloaded from GitHub and verification of the signed XML returned by the official update server. WinGUp, the auto-updater, had libcurl.dll removed, two insecure cURL SSL options eliminated, and plugin management restricted to executables signed with WinGUp's certificate. The update also patches a high-severity Unsafe Search Path vulnerability (CVE-2026-25926) that could allow arbitrary code execution. The compromise enabled delivery of a backdoor called Chrysalis to selected users.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]