Notepad++ < 8.8.9 WinGUp Updater Lacks Update Integrity Verification

Advisories

severity: high
date: 2/2/2026
Affecting: Notepad++ < 8.8.9
CVE: CVE-2025-15556
CWE: CWE-494 Download of Code Without Integrity Check
CVSS: 7.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Notepad++ v8.8.9 Release Notes
Notepad++ Exploitation in the Wild Announcement
Notepad++ GitHub Patch Commit
WinGUp GitHub Patch Commit
Credit: Notepadd++ (Internal Discovery)
Description: Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
VulnCheck KEV: This advisory is in the VulnCheck KEV database

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo