Home > Vulnerability Database > CVE-2025-15556

Mend.io Vulnerability Database

CVE-2025-15556

Good to know:

Date: February 2, 2026

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.

Severity Score

7.5

Related Resources (7)

Url: https://notepad-plus-plus.org/news/hijacked-incident-info-update/

Url: https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification

Url: https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-15556

Url: https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix

Url: https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb

Url: https://www.mend.io/vulnerability-database/CVE-2025-15556

Severity Score

7.5

Weakness Type (CWE)

Download of Code Without Integrity Check

CWE-494

Top Fix

Upgrade Version

Upgrade to version https://github.com/notepad-plus-plus/notepad-plus-plus.git - v8.8.9;https://github.com/notepad-plus-plus/wingup.git - v5.3.8

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-15556

Good to know:

Date: February 2, 2026

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?