← Back

CVE-2025-15556

nvd nist
Published: Feb 3, 2026Modified: Feb 13, 2026CISA KEV

JSON object

Loading...
7.7
Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: disclosure@vulncheck.com (Secondary)

Description

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

Affected (1)

Notepad Plus Plus
1 product
Notepad++
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Notepad++
Before 8.8.9

Related CWEs

CWE-494
Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

References (7)

Source: disclosure@vulncheck.com
Release Notes
Source: disclosure@vulncheck.com
Patch
Source: disclosure@vulncheck.com
Patch
Source: disclosure@vulncheck.com
PatchVendor Advisory
Source: disclosure@vulncheck.com
Third Party Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Vendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

Timeline

No history available yet.