CVE-2025-15556
Notepad++ < 8.8.9 WinGUp Updater Lacks Update Integrity Verification
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
| CWE | CWE-494 |
| Vendor | notepad-plus-plus |
| Product | notepad-plus-plus |
| Published | Feb 3, 2026 |
| Last Updated | Mar 5, 2026 |
โ ๏ธ Actively Exploited โ Act Now
Get instant alerts for notepad-plus-plus notepad-plus-plus
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2025-15556.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
notepad-plus-plus / notepad-plus-plus
0 < 8.8.9
References
community.notepad-plus-plus.org: https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix notepad-plus-plus.org: https://notepad-plus-plus.org/news/hijacked-incident-info-update/ github.com: https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab github.com: https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb vulncheck.com: https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-15556 notepad-plus-plus.org: https://notepad-plus-plus.org//news//clarification-security-incident/