Windows Notepad Markdown Link Validation Flaw Enables Arbitrary Command Execution
Microsoft patched a high-severity remote code execution issue in the modern Windows Notepad (Microsoft Store version) tracked as CVE-2026-20841, where improper validation of links in Markdown (.md) files can lead to arbitrary command execution in the context of the logged-in user. The flaw can be triggered when a victim opens a specially crafted Markdown file and clicks a rendered hyperlink; Notepad’s Markdown rendering/tokenization pipeline turns link text into interactive elements, and the click handler passes attacker-controlled link values onward with insufficient sanitization.
Technical reporting indicates Notepad forwards the link target to ShellExecuteExW() with only minimal filtering (e.g., stripping leading/trailing slashes), allowing malicious protocol URIs such as file:// and ms-appinstaller:// to be invoked via registered protocol handlers. Exploitation is primarily social-engineering driven (email, downloads, or other delivery mechanisms) and requires user interaction (opening the file and clicking the link), but can result in execution of attacker-chosen commands or loading attacker-controlled content depending on protocol handler behavior and system configuration; the issue was disclosed via Zero Day Initiative and credited to researchers including Cristian Papa and Alasdair Gorniak (Delta Obscura), with additional analysis referenced by third-party reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Public PoC released for Windows Notepad vulnerability
Public proof-of-concept code for CVE-2026-20841 was released on GitHub, demonstrating how a crafted Markdown file and malicious hyperlink could be used to trigger command execution in vulnerable modern Notepad versions. Reporting noted that no workaround was available and that user interaction was required for exploitation.
ZDI publishes technical analysis of Windows Notepad RCE
The Zero Day Initiative published a technical write-up on CVE-2026-20841, explaining that insufficient validation of Markdown link values in modern Windows Notepad could let crafted protocol URIs reach ShellExecuteExW() and trigger arbitrary command execution. The analysis described exploitation via a malicious .md file opened in Notepad and a user clicking a malicious link.
Microsoft patches CVE-2026-20841 in February 2026 updates
Microsoft fixed CVE-2026-20841, a high-severity remote code execution flaw in the modern Microsoft Store version of Windows Notepad, during the February 2026 Patch Tuesday cycle. The issue affects Notepad version 11.2508 and earlier, with patched builds reported as 11.2510 and later.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Microsoft: Critical Security Issue Found in Windows Notepad - TechRepublic
techrepublic.com
Open sourcePoC Released for Windows Notepad Vulnerability that Enables Malicious Command Execution
cybersecuritynews.com
Open sourceZero Day Initiative - CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad
thezdi.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows Notepad Markdown Link Handling Flaw Enables Remote Code Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store) app, tracked as **CVE-2026-20841** (CVSS 8.8), caused by **command injection** (`CWE-77`) tied to improper neutralization of special elements used in commands. The weakness can be triggered when a user opens a booby-trapped **Markdown (`.md`)** file in Notepad and clicks an embedded malicious link; the app can be coerced into launching **unverified protocols** that load and execute remote content, resulting in code execution in the **security context of the logged-in user** (potentially full compromise if the user has admin rights).
Apr 11, 2026
ThreatsDay Bulletin Highlights Microsoft Notepad Markdown Link RCE (CVE-2026-20841)
Microsoft patched a **Windows Notepad** command-injection vulnerability, **CVE-2026-20841** (CVSS **8.8**), that can lead to **remote code execution** when a user opens a Markdown file in Notepad and clicks a crafted malicious link. The issue is described as improper neutralization of special elements used in a command, enabling an attacker to trigger execution of remote or local payloads in the **security context of the logged-in user**. Public proof-of-concept examples indicate the flaw can be exercised using Markdown `file://` links pointing to executables (e.g., `file://C:/windows/system32/cmd.exe`) and other special URI handlers. The reporting appears as part of a broader weekly “ThreatsDay” roundup that also references other, separate security stories (e.g., AI prompt injection/RCE themes and other malware/exploit items), but the concrete, actionable item consistently detailed is the Notepad Markdown-link RCE and its patch. A separate “Daily Cyber News” post discusses Microsoft releasing fixes for multiple exploited flaws across widely deployed products, but it does not specifically corroborate the Notepad CVE or the Markdown-link exploitation path described in the roundup, making it contextually related to Microsoft patching activity but not the same discrete vulnerability story.
Mar 21, 2026
Windows Notepad RCE Flaw CVE-2026-20841 Draws Public PoC Releases
Microsoft disclosed **CVE-2026-20841**, a remote code execution vulnerability in the **Windows Notepad app**, and the bug was subsequently detailed by Trend Micro's Zero Day Initiative as an arbitrary code execution issue affecting Notepad. Public references describe the flaw as enabling code execution through the handling of malicious content in Notepad, elevating concern because the application is widely present across Windows environments. Within days of disclosure, multiple **proof-of-concept** repositories for `CVE-2026-20841` appeared on GitHub, including projects explicitly labeling the issue as **"Windows notepad.exe RCE"**. The rapid publication of several PoCs increases the likelihood of weaponization and lowers the barrier for attackers to test exploitation, making prompt validation of Microsoft's security update and exposure assessment a priority for defenders.
May 25, 2026