CVE-2025-15556HIGH 7.5CISA KEVEPSS p66.0%
CVE-2025-15556Notepad++ Download of Code Without Integrity Check Vulnerability
Notepad++ / Notepad++
Description
Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.
Scoring
| CVSS 3.1 | 7.5 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| EPSS | 1.27% probability of exploitation · percentile 66.0% · 2026-06-18T12:00:27Z |
| Published | 2026-02-03 |
| Last modified | 2026-02-13 |
CISA KEV entry
Added to KEV: 2026-02-12
Underlying weaknesses· 1
References
- https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix
- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab
- https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb
- https://notepad-plus-plus.org/news/hijacked-incident-info-update/
- https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification
- https://notepad-plus-plus.org//news//clarification-security-incident/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-15556
1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Weakness | Download of Code Without Integrity Checkcwe-494 | 0% | live |
(incoming)1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| KEVEntry | Notepad++ Download of Code Without Integrity Check Vulnerabilitykev-cve-2025-15556 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.