CVE-2025-15556
- Source
- https://cve.org/CVERecord?id=CVE-2025-15556
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15556.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-15556
- Published
- 2026-02-03T01:15:57.757Z
- Modified
- 2026-02-21T02:37:38.022565Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
- References
-
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-15556
- https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix
- https://notepad-plus-plus.org/news/hijacked-incident-info-update/
- https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification
- https://notepad-plus-plus.org//news//clarification-security-incident/
- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab
- https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb
- https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Affected packages
Git / github.com/notepad-plus-plus/notepad-plus-plus
Affected ranges
- Type
- GIT
- Repo
- https://github.com/notepad-plus-plus/notepad-plus-plus
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
7.*
7.2.2
7.3.1
Other
patch-1_#167
patch-2_#268
patch-3_#283
v6
v7
v8
v5.*
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.5
v5.5.1
v5.6
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.6.7
v5.6.8
v5.7
v5.8
v5.8.1
v5.8.2
v5.8.3
v5.8.4
v5.8.5
v5.8.6
v5.8.7
v5.9
v5.9.1
v5.9.2
v5.9.3
v5.9.4
v5.9.5
v5.9.6
v5.9.6.1
v5.9.6.2
v5.9.7
v5.9.8
v6.*
v6.1
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.2
v6.2.1
v6.2.2
v6.2.3_-_End_of_World_Edition
v6.3
v6.3.1
v6.3.2
v6.3.3
v6.4
v6.4.1
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.5
v6.5.1
v6.5.2
v6.5.3
v6.5.4
v6.5.5
v6.6
v6.6.1
v6.6.2
v6.6.3
v6.6.4
v6.6.6_-_Friday_the_13th_edition
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7.1
v6.7.2
v6.7.3
v6.7.4_-_Je_suis_Charlie_edition
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.7.8.1
v6.7.8.2
v6.7.9
v6.7.9.1
v6.7.9.2
v6.8
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.9
v6.9.1
v6.9.2
v7.*
v7.1
v7.2
v7.2.1
v7.2.2
v7.3
v7.3.1
v7.3.2
v7.3.3
v7.4
v7.4.1
v7.4.2
v7.5
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.5.5
v7.5.6
v7.5.7
v7.5.8
v7.5.9
v7.6
v7.6.1
v7.6.2
v7.6.3
v7.6.4
v7.6.5
v7.6.6
v7.7
v7.7.1
v7.8
v7.8.1
v7.8.2
v7.8.3
v7.8.4
v7.8.5
v7.8.6
v7.8.7
v7.8.8
v7.8.9
v7.9
v7.9.1
v7.9.2
v7.9.3
v7.9.4
v7.9.5
v8.*
v8.1
v8.1.1
v8.1.2
v8.1.3
v8.1.4
v8.1.5
v8.1.6
v8.1.7
v8.1.8
v8.1.9
v8.1.9.1
v8.1.9.2
v8.1.9.3
v8.2
v8.2.1
v8.3
v8.3.1
v8.3.2
v8.3.3
v8.4
v8.4.1
v8.4.2
v8.4.3
v8.4.4
v8.4.5
v8.4.6
v8.4.7
v8.4.8
v8.4.9
v8.5
v8.5.1
v8.5.2
v8.5.3
v8.5.4
v8.5.5
v8.5.6
v8.5.7
v8.5.8
v8.6
v8.6.1
v8.6.2
v8.6.3
v8.6.4
v8.6.5
v8.6.6
v8.6.7
v8.6.8
v8.6.9
v8.7
v8.7.1
v8.7.2
v8.7.3
v8.7.4
v8.7.5
v8.7.6
v8.7.7
v8.7.8
v8.7.9
v8.8
v8.8.1
v8.8.2
v8.8.3
v8.8.4
v8.8.5
v8.8.6
v8.8.7
v8.8.8
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15556.json"
vanir_signatures
[
{
"id": "CVE-2025-15556-27ccaa51",
"target": {
"file": "PowerEditor/src/MISC/Common/verifySignedfile.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab",
"digest": {
"threshold": 0.9,
"line_hashes": [
"278255488860091775485424418684483936925",
"334373316905308021798149054986859740172",
"13784945687004795357843802056199958124",
"174371392944854254646131382372429783793",
"232384476451473054135246973874847479487",
"213146836324650480443561064207978485740",
"99670359919603010542745774620996232764",
"221575363332760685635129565149307259136"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2025-15556-29e85d7e",
"target": {
"function": "launchUpdater",
"file": "PowerEditor/src/winmain.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab",
"digest": {
"function_hash": "312709445702296421521735460136267994393",
"length": 947.0
},
"signature_type": "Function"
},
{
"id": "CVE-2025-15556-42cbcfff",
"target": {
"function": "SecurityGuard::verifySignedLibrary",
"file": "PowerEditor/src/MISC/Common/verifySignedfile.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab",
"digest": {
"function_hash": "152797047514001141527229657506795098783",
"length": 6410.0
},
"signature_type": "Function"
},
{
"id": "CVE-2025-15556-8eb568d4",
"target": {
"file": "PowerEditor/src/winmain.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab",
"digest": {
"threshold": 0.9,
"line_hashes": [
"224696254523946218246400711597492672077",
"287239636570269981885898785745641745376",
"187724903209388853331277475625266475361",
"227533852281333509800004142088807478367",
"124953026723054630782934518320931048639",
"66342597756190342552897666628445838133",
"150672510540042662463221125954218625740"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2025-15556-94eeb743",
"target": {
"function": "Notepad_plus::command",
"file": "PowerEditor/src/NppCommands.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab",
"digest": {
"function_hash": "105647571504879897451411109553853155985",
"length": 104819.0
},
"signature_type": "Function"
},
{
"id": "CVE-2025-15556-a385925c",
"target": {
"file": "PowerEditor/src/MISC/Common/verifySignedfile.h"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab",
"digest": {
"threshold": 0.9,
"line_hashes": [
"34510499310666083920369293338639957963",
"192824513496669563686648131261251065457",
"320379254455538689590588349006681948209",
"175443635630709521468141288260629655359",
"64673821634363326744526103741507944925",
"295241682883294136858462812233960369751",
"85088646753608546522421779344948551480",
"203844358380266114274216602615259993807",
"306425330168592255285905642767286866842",
"210793851533057344739271909160504250967"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2025-15556-d0614ad1",
"target": {
"file": "PowerEditor/src/NppCommands.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab",
"digest": {
"threshold": 0.9,
"line_hashes": [
"262803160285962961656302495677500942836",
"331939321338970704364428680002229972211",
"310862121958736326961316143740390563221",
"250586881882729928171695949276080819183",
"41818348585778489040310975636918246412",
"258317964519977677790475000817435541929",
"216145335896096124871495024468377244850"
]
},
"signature_type": "Line"
}
]
Git / github.com/notepad-plus-plus/wingup
Affected ranges
- Type
- GIT
- Repo
- https://github.com/notepad-plus-plus/wingup
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v3.*
v3.3
Other
v4
v4.*
v4.1
v4.2
v5.*
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.1
v5.1.1
v5.1.3
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.2.9
v5.3
v5.3.1
v5.3.2
v5.3.4
v5.3.5
v5.3.6
v5.3.7
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15556.json"
vanir_signatures
[
{
"id": "CVE-2025-15556-0e897720",
"target": {
"function": "wWinMain",
"file": "src/winmain.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb",
"digest": {
"function_hash": "300466592261933343133604243145794379204",
"length": 9166.0
},
"signature_type": "Function"
},
{
"id": "CVE-2025-15556-3450ece0",
"target": {
"function": "ws2s",
"file": "src/xmlTools.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb",
"digest": {
"function_hash": "227893333599043902810525623546619831721",
"length": 137.0
},
"signature_type": "Function"
},
{
"id": "CVE-2025-15556-4536be79",
"target": {
"function": "s2ws",
"file": "src/xmlTools.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb",
"digest": {
"function_hash": "196000959413924539344908361134820556844",
"length": 139.0
},
"signature_type": "Function"
},
{
"id": "CVE-2025-15556-9b665bd4",
"target": {
"function": "parseCommandLine",
"file": "src/winmain.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb",
"digest": {
"function_hash": "128786072223726527997418915164584581324",
"length": 694.0
},
"signature_type": "Function"
},
{
"id": "CVE-2025-15556-eb065342",
"target": {
"file": "src/xmlTools.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb",
"digest": {
"threshold": 0.9,
"line_hashes": [
"277013222667516534462111227968910092397",
"200083224917938868215581017269839265695",
"93425006378575177301028831501986505054",
"88342172421738256654933845071490675101",
"324873864512471898724897462698536894058",
"293337191998531619485481717542177261038",
"327088219940036222613765466583863162907",
"189444922902913958260852940032855447850",
"27683583085723120540660524842476136895",
"311704012729928378855274652449295241397",
"40059111624932131011940280997300624938",
"19636610611405930608533116537898055286",
"97390616886826094815514657011738338972",
"156460861543390507945571752418628834453",
"2993174195373900343873251159903096510",
"310191544619778100786703037636943016236"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2025-15556-f32b1030",
"target": {
"file": "src/winmain.cpp"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb",
"digest": {
"threshold": 0.9,
"line_hashes": [
"270223215734958510008777060245247384143",
"296944073748039552703825737376766470814",
"61861441307393695941559081080442806754",
"225294047193896427890448253347459365849",
"253655912287720391165365537775085950079",
"122408126589097072893764162426407846495",
"217754449413123901930286660203209168668",
"166911776286339366551674092610375758620",
"155455571959633957419566769640040739364",
"142173321051559103796081293344420695919",
"48405822780951440286410519088452168379",
"88999008120798542783033588911014873578",
"288941021348420904125100682404230624674",
"239561611406705321150472549050438832643",
"235088007819951568787718289424019065099",
"329978850378873378560228135897850597012",
"159023628839104351497479386948529760325",
"192276197703105460957648089447056368469",
"338582734058032018058420905009968119963",
"231045748745012561193372049766414422913",
"118689687691100579099105649707454418029",
"191319787718288277263065238716220191295",
"99844637225458274135913919266287114523",
"117399109081739352268017488221209101571",
"155788960104367869956959255553439329166",
"324062908299258428048987797108166429045",
"265989288335892980323244486892144698157",
"106551966634639880947262367984084853611",
"74887433535875920651118667584172152381",
"296845637585961287533464363822949725664",
"277794261773221450511140018579219617052",
"185258663807017073838230937676732908241",
"328167876355259280037250032455980487183",
"314551481636011692688407829858575393659",
"262251303734285830962908562454847864403",
"29099721030903948733893658692752356791",
"252877450554685997547660061532404323439",
"275619995377363406512569943080853155213",
"120465729451039372969109934170881750277",
"41526537451196675709554226984414207635",
"72778750621580530188333464423940879048",
"178682070549706115813356705816538293195",
"290232199879436656337616926274506039914",
"5811799355079168675354228160788203641",
"227084341701294069022371556453707589544",
"230871393683391430464920561423695119768",
"139121902882246334948927797792715582833",
"101885196183086829581696788792605623999",
"68926849041353064329103550667747789811",
"32778245103876593615882889510589716758",
"284889642387896127917955927610425172890",
"313795671883693891858043120897236976657",
"275707239824532058561090339545867347852",
"4936605796315560647718203064049598204",
"72792275551351896527681973155604833230",
"286635993451789945757713050065866524349",
"213195586075348763157788828177989197651",
"131047872473483015033258738062918983964",
"292134311958931093900822790089959982890",
"282893842672267665388429818459633327464",
"33612108992117677891524892757928423749",
"218753693883018097963402122951948570022",
"220561066577692561526739126561212988564",
"62475140549429596305115012436713861631",
"17464574258615060050390945685363969436",
"113506272433452046323037284656454776688",
"320957554635771804167353708251008363652",
"275418372040654031392466446020241476997",
"3930805336154342370676160168220455025",
"98161960570129291574663405655718200839",
"279407482202879519952436941679260095694",
"205339121229263963942791110696935801333",
"80916798802223068069027729637466692244",
"279217294605995754794870052097258103755",
"308265778211910169677070987027640154255",
"232600499681413757795049259759294775028",
"4968029296298483590789986750246583029",
"106089163435199888119354346020334743562",
"63372852960134855637610201264821556078",
"106553752607366333945261409159008818771",
"152115711003391280814442691132515814301",
"168835086614708184131559142730987807461",
"200420882370123960449140493081003090414",
"108587633537507210242609878158511307392",
"54732420759867058932792263161794784040",
"28192762706889400990096122987122900842",
"296601450571916084924272907737208283896",
"3710604181796830611468205182583109600",
"312846144413798458260146619349339093215",
"17676142181078506756343277733311715264",
"309940112143785793659424905790526308282",
"90484467030226367285743297468905876614",
"128758110874203832177461169866034136632",
"198859124585758947264359493619364951375",
"39711909795054938640812223124838908614",
"65567142850007956283950825241052312455",
"299380089837296359810856238735991360258",
"14707174271698907047552051113645894047",
"154648367057694585243773125237157320382",
"289486176422405529734829437585531840640",
"171893263701068000892402170079707906883",
"90677273741587269962647634215894611884",
"136577114285228087544346515954290772823",
"110798964059816027479505884009980224147",
"48650685662324235633563280731029438348",
"116817530023136285306987606907670827841",
"187554448779868455599011990480332501829",
"226679351847223309492210671846378690754",
"242548823212871617285707859646806186520",
"211835800729968495644840179293915110003",
"180385730544961809179040057486883261227",
"15362152125400271360744645988631924090",
"293710373812106432115496713941126704743",
"18773274280044520971275484010842636374",
"73940072296076803286887468060681672958",
"184446947592842827370799997842312358646",
"64602239569107377492253582273890721782",
"15167923081380127226862264967835760062",
"214920076898605362465837365832626252974",
"247439769111729265328103702040449503242",
"249859102989178940962630877189262323361",
"238520710021862514593785830686286774173",
"320351471337180844980806111927568781134",
"217277900129230706848187581207014537155",
"102398382666096293479865243040128280668",
"262451476632852097516754582074649557748",
"47426780533852535185517284333413463147",
"246890820173660655772948827898979424071",
"115711157456810910060379844876279191201",
"24992137080720532646977172090187556680",
"46664390682522002130199116836243464297",
"59613638650588711601280631296375255861",
"152169716511899981463084839740273580041",
"27120432523808715455009668174410569693",
"216035526340066616706222860263509212411",
"240558578018647386948298466936997691931",
"337726636476914499267622024521026884343",
"115754233599957429291849720327823784384",
"243208396960945073312126141000622464872",
"79513409824972097245073777011417816179",
"40220725402502669620390547466407252042",
"288173579063684771387460049369433172062",
"212483101118655930021738841757309228619",
"239081103013949513969621128300696477238",
"20379056839698311991155710854334528954",
"321368041611075393447260705309933797827",
"178969125940222149298200560069594992561",
"90681235690080631206760642748790024465",
"183502728989176468730407628127951016732"
]
},
"signature_type": "Line"
}
]