ThreatsDay Bulletin Highlights Microsoft Notepad Markdown Link RCE (CVE-2026-20841)
Microsoft patched a Windows Notepad command-injection vulnerability, CVE-2026-20841 (CVSS 8.8), that can lead to remote code execution when a user opens a Markdown file in Notepad and clicks a crafted malicious link. The issue is described as improper neutralization of special elements used in a command, enabling an attacker to trigger execution of remote or local payloads in the security context of the logged-in user. Public proof-of-concept examples indicate the flaw can be exercised using Markdown file:// links pointing to executables (e.g., file://C:/windows/system32/cmd.exe) and other special URI handlers.
The reporting appears as part of a broader weekly “ThreatsDay” roundup that also references other, separate security stories (e.g., AI prompt injection/RCE themes and other malware/exploit items), but the concrete, actionable item consistently detailed is the Notepad Markdown-link RCE and its patch. A separate “Daily Cyber News” post discusses Microsoft releasing fixes for multiple exploited flaws across widely deployed products, but it does not specifically corroborate the Notepad CVE or the Markdown-link exploitation path described in the roundup, making it contextually related to Microsoft patching activity but not the same discrete vulnerability story.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Munge vulnerability fixed after roughly 20 years
A long-standing Munge vulnerability, tracked as CVE-2026-25506, was finally fixed after existing for about two decades. The recap highlights the remediation as a notable legacy-security milestone.
Apple patches dyld zero-day used in targeted attacks
Apple disclosed and fixed CVE-2026-20700, a dyld memory corruption zero-day reportedly used in sophisticated targeted attacks. The patch marked a significant response to active exploitation.
Chrome zero-day CVE-2026-2441 is disclosed and patched
Google disclosed and patched CVE-2026-2441, a Chrome use-after-free vulnerability reported as actively exploited. The fix was included among the week's major browser and platform security updates.
Microsoft removes hijacked AgreeTo add-in from its store
After the Outlook add-in hijack was identified, Microsoft removed the AgreeTo add-in from the Microsoft store. This was the vendor response to the credential-theft campaign tied to the add-in.
Attackers exploit abandoned Outlook add-in domain to steal 4,000+ credentials
A previously legitimate Outlook add-in called AgreeTo was repurposed into a phishing kit after attackers took over an abandoned associated domain. The campaign resulted in theft of more than 4,000 Microsoft account credentials.
Law enforcement action targets $73.6 million pig-butchering scam
Authorities took action against a pig-butchering fraud operation involving $73.6 million in losses. The bulletin cites the case as a notable law-enforcement development during the reporting period.
Global Telnet traffic drops ahead of GNU InetUtils telnetd auth-bypass disclosure
Researchers observed an anomalous global collapse in Telnet traffic that may indicate pre-disclosure mitigation activity related to CVE-2026-24061, a critical GNU InetUtils telnetd authentication-bypass flaw. The traffic shift was noted as an unusual ecosystem signal around the vulnerability.
Quest Desktop Authority named-pipe flaw enables SYSTEM-level RCE
A major vulnerability in Quest Desktop Authority was disclosed involving a named-pipe issue that could allow SYSTEM-level remote code execution. The bulletin presents it as a significant newly revealed enterprise software risk.
Anthropic discloses unpatched zero-click Claude Desktop Extensions RCE risk
Researchers reported a zero-click remote code execution risk in Claude Desktop Extensions driven by prompt-injected Google Calendar events. Anthropic chose not to fix the issue, making the disclosure itself a notable development.
Microsoft patches Windows Notepad Markdown link RCE
Microsoft patched CVE-2026-20841, a command-injection flaw in Windows Notepad that could allow remote code execution through malicious Markdown links. The issue was highlighted as a newly patched exposure in the February threat roundup.
Google patches Looker RCE and authorization-bypass chain
Google patched a vulnerability chain in Looker tracked as CVE-2025-12743 that could enable remote code execution and authorization bypass. The bulletin cites this as a major disclosed and remediated enterprise software issue.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet & AI Malware
thehackernews.com
Open sourceThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days & 25+ Stories
thehackernews.com
Open sourceThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days & 25+ Stories
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows Notepad Markdown Link Validation Flaw Enables Arbitrary Command Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store version) tracked as **CVE-2026-20841**, where improper validation of links in Markdown (`.md`) files can lead to arbitrary command execution in the context of the logged-in user. The flaw can be triggered when a victim opens a specially crafted Markdown file and clicks a rendered hyperlink; Notepad’s Markdown rendering/tokenization pipeline turns link text into interactive elements, and the click handler passes attacker-controlled link values onward with insufficient sanitization. Technical reporting indicates Notepad forwards the link target to `ShellExecuteExW()` with only minimal filtering (e.g., stripping leading/trailing slashes), allowing malicious protocol URIs such as `file://` and `ms-appinstaller://` to be invoked via registered protocol handlers. Exploitation is primarily social-engineering driven (email, downloads, or other delivery mechanisms) and requires user interaction (opening the file and clicking the link), but can result in execution of attacker-chosen commands or loading attacker-controlled content depending on protocol handler behavior and system configuration; the issue was disclosed via **Zero Day Initiative** and credited to researchers including Cristian Papa and Alasdair Gorniak (Delta Obscura), with additional analysis referenced by third-party reporting.
Mar 21, 2026
Windows Notepad Markdown Link Handling Flaw Enables Remote Code Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store) app, tracked as **CVE-2026-20841** (CVSS 8.8), caused by **command injection** (`CWE-77`) tied to improper neutralization of special elements used in commands. The weakness can be triggered when a user opens a booby-trapped **Markdown (`.md`)** file in Notepad and clicks an embedded malicious link; the app can be coerced into launching **unverified protocols** that load and execute remote content, resulting in code execution in the **security context of the logged-in user** (potentially full compromise if the user has admin rights).
Apr 11, 2026
Windows Notepad RCE Flaw CVE-2026-20841 Draws Public PoC Releases
Microsoft disclosed **CVE-2026-20841**, a remote code execution vulnerability in the **Windows Notepad app**, and the bug was subsequently detailed by Trend Micro's Zero Day Initiative as an arbitrary code execution issue affecting Notepad. Public references describe the flaw as enabling code execution through the handling of malicious content in Notepad, elevating concern because the application is widely present across Windows environments. Within days of disclosure, multiple **proof-of-concept** repositories for `CVE-2026-20841` appeared on GitHub, including projects explicitly labeling the issue as **"Windows notepad.exe RCE"**. The rapid publication of several PoCs increases the likelihood of weaponization and lowers the barrier for attackers to test exploitation, making prompt validation of Microsoft's security update and exposure assessment a priority for defenders.
May 25, 2026