Microsoft’s effort to modernize the humble Notepad app has come with a cost: Security researchers have discovered a serious vulnerability in the program following a feature update.
The flaw, which Microsoft
disclosed on Tuesday, can be exploited to run malicious code on a Windows PC. The company warns that a hacker could weaponize the vulnerability by embedding a malicious link into a file opened by Notepad, “causing the application to launch unverified protocols that load and execute remote files.”
The vulnerability, dubbed
CVE-2026-20841, is raising eyebrows since Notepad has long been known as a rather basic text editor. However, the flaw leverages Notepad’s recently added support for
Markdown, a formatting language used on websites and in files. In May, Microsoft
introduced support for “Markdown-style input and files for users who prefer to work directly with the lightweight markup language.”
A trio of researchers later discovered that the Markdown support can create a security risk if Notepad opens a booby-trapped Markdown file containing a malicious link.
The flaw exploits Notepad’s recently added support for Markdown, a formatting language used on websites and in files, to run malicious code on a Windows PC.
au.pcmag.com
msrc.microsoft.com
