A critical privilege escalation vulnerability has been identified in the installer of Notepad++, a free and open-source source code editor. The vulnerability affects Notepad++ version 8.8.1 and earlier.
The issue originates from the use of an insecure executable search path within the Notepad++ v8.8.1 installer, which may allow unprivileged users to gain SYSTEM-level privileges on affected systems.
An attacker could exploit this vulnerability by using social engineering or clickjacking techniques to trick a user into downloading both the legitimate Notepad++ installer and a malicious executable into the same directory—typically the Downloads folder, which is known as a vulnerable directory. When the user executes the installer, the malicious executable may be launched automatically with SYSTEM privileges.
The vulnerability has been addressed, and the fix is scheduled to be released with Notepad++ version 8.8.2. Users are strongly advised to upgrade to the latest version as soon as it becomes available in order to mitigate potential security risks.
This security issue has been assigned CVE-2025-49144, and further technical details are available through the National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2025-49144