CVE-2025-15556

Analyzed
Published: 03 Feb 2026, 00:50
Last modified:05 Mar 2026, 01:29

Vulnerability Summary

Overall Risk (default)
medium
32/100
CVSS Score
7.7 HIGH
v4.0 (cve.org)
EPSS Score
5.33% LOW
5% probability 0.00%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

03 Feb 2026, 00:50
Published
Vulnerability first disclosed
12 Feb 2026, 00:00
Added to CISA KEV
Notepad++ Download of Code Without Integrity Check Vulnerability
05 Mar 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
05 Mar 2026, 01:29
Last Modified
Vulnerability information updated

Description

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

CVSS Metrics

  • v4.0HIGHScore: 7.7CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • v4.0HIGHScore: 7.7CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 5.33% Percentile: 90%

Techniques & Countermeasures

  • CWE-494Download of Code Without Integrity Check

    The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Affected Systems

  • notepad-plus-plusnotepad\+\+

    < 8.8.9

  • notepad-plus-plusnotepad-plus-plus

    < 8.8.9

References (7)