This flaw appeared in the February 2026 Patch Tuesday release. Security researchers Cristian Papa and Alasdair Gorniak from Delta Obscura first found it. Nikolai Skliarenko and Yazhi Wang from TrendAI Research then analyzed it deeply.
The issue stems from command injection in Notepad’s Markdown handling. This modern version comes from the Microsoft Store, unlike the old Notepad.exe in Windows. It renders .md files with interactive links.
Attackers can craft a malicious Markdown file. Victims open it in Notepad and Ctrl+click a bad hyperlink. This runs arbitrary commands under the user’s account.
A vulnerable function, sub_140170F60(), processes link clicks. It sends the link to ShellExecuteExW() after weak filtering.
That just removes leading or trailing slashes. It misses protocols like file:// or ms-appinstaller://. These load attacker files without Windows warnings. ShellExecuteExW() uses system handlers, so risks grow with custom setups.
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2026-20841 | 7.8 (High) | RCE via command injection in modern Windows Notepad Markdown link handling, allowing arbitrary command execution on Ctrl+click. |
Exploitation needs user action, per the Zero Day Initiative analysis. Attackers send the file via email, downloads, or phishing.
Victims must open it in Notepad, though .md files aren’t linked by default, and click the link. A public proof-of-concept now lives on GitHub, raising real-world risks.
The flaw hits Notepad versions 11.2508 and earlier. Microsoft Store update to build 11.2510 or later fixes it. Legacy Notepad.exe stays safe. No workarounds exist, but Microsoft urges auto-updates.
Organizations must check endpoints. Enable Microsoft Store updates fleet-wide. Use tools to enforce version 11.2510+. Scan for old installs.
This underscores Markdown risks in everyday apps. Notepad’s preview mode seemed handy, but opened doors. With PoC out, threat actors may weaponize it fast. Update now to block attacks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post PoC Released for Windows Notepad Vulnerability Enabling Malicious Command Execution appeared first on Cyber Security News.
If your mom is the crafty type, she will absolutely love this new LEGO deal…
Photos Courtesy Big Car Collaborative, David Schalliol CAMi is bringing contemporary back. Indianapolis hasn’t had…
Photos Courtesy Big Car Collaborative, David Schalliol CAMi is bringing contemporary back. Indianapolis hasn’t had…
This article was published in 2026 and references a historical event from 2024, included here…
This article was published in 2026 and references a historical event from 2024, included here…
A new Android spyware tool is being sold openly on the internet, and it comes…
This website uses cookies.