CVE-2026-20841
Guys , another stupid CVE was disclosed in Windows Notepad that allows command execution via crafted Markdown links. scary and stupid right ?
lets analyze it together
References
- https://foss-daily.org/posts/microsoft-notepad-2026/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
Details
| Detail | Value |
|---|---|
| CVE ID | CVE-2026-20841 |
| CVSS Score | 8.8 (High) |
| Vulnerability Type | Command Injection (CWE-77) |
| Affected App | Modern Notepad app (Microsoft Store) |
| Affected Versions | 11.0.0 to 11.2509 |
| Fixed In | 11.2510+ |
| Patch Date | February 10, 2026 |
| Active Exploitation | Yes, PoC available |
| Workaround | Limited (update required) |
Overview
we all have used windows notepad right ? back to previous days in the era of windows 10 and 7 when windows notepad considered as only notepad with no bloated things and AI stuffs.
but in
moderen Windows 11 added Markdown handling. The issue is that the Markdown link handler does not validate link protocols before execution. so a crafted .md file can trigger command execution when a user clicks a link.
“Someone at Microsoft thought “what if Notepad could execute commands?” and shipped it enabled by default. Attackers can now trick users into opening a malicious .md file, you click a link, and BAM, code runs with your full permissions. Full system compromise. It is that bad.
The vulnerability itself is straightforward. Notepad’s Markdown handler does not validate what is in those links before executing them. A specially made file with the right protocol prefix does the rest. Phishing a user to click becomes a full system compromise.”
Source: https://foss-daily.org/posts/microsoft-notepad-2026/
Attack Flow
- An attacker sends a malicious
.mdfile (for example,meeting-notes.md). - The victim opens it in Notepad and clicks a link.
- The link triggers command execution instead of opening in a browser.
- The attacker gets full system control.
Proof of Concept
- https://github.com/BTtea/CVE-2026-20841-PoC
Mitigation
- Update Notepad to 11.2510 or later. and for safely disable AI stuffs and turn of markdown preview. thats all folks happy hacking !