Microsoft has used this month’s batch of security patches to fix a security vulnerability in Notepad. The once simple text editor has evolved over the years into more of a cut-down word processor, and has gained numerous new AI-powered features and Markdown support.
It is an issue with Markdown support hat Microsoft has now addressed. A flaw existed that made it possible to invisibly execute Markdown links, potentially exposing users to dangerous sites.
Describing the issue – which is tracked as VE-2026-20841 – Microsoft says that: “Improper neutralization of special elements used in a command (‘command injection’) in Windows Notepad App allows an unauthorized attacker to execute code over a network”.
The company goes on to provide a little more detail about the nature of the vulnerability:
How could an attacker exploit this vulnerability?
An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?
The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.
Microsoft thanks security researchers from Delta Obscura for bringing the high severity vulnerability to light.
A patch was developed quickly because the flaw not only allowed for silent loading of malicious sites, but also for remote access to shared resources.
Image credit: Alexey Novikov / Dreamstime.com
