Notepad++ before 8.8.9 WinGUp Updater Integrity Verification Flaw
CVE-2025-15556 Published on February 3, 2026
Notepad++ < 8.8.9 WinGUp Updater Lacks Update Integrity Verification
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
Known Exploited Vulnerability
This Notepad++ Download of Code Without Integrity Check Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.
The following remediation steps are recommended / required by March 5, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Timeline
Vulnerability is publicly disclosed
Announcement of exploitation in the wild 55 days later.
Weakness Type
Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.
Products Associated with CVE-2025-15556
Want to know whenever a new CVE is published for Notepadplusplus Notepad? stack.watch will email you.
Affected Versions
notepad-plus-plus:- Before 8.8.9 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.