v8.8.6 release: Clarifying the CVE-2025-56383 Non-Issue
2025-10-07
CVE-2025-56383 is one of the most absurd entries we’ve ever seen in the National Vulnerability Database.
It’s misclassified under CWE-427: Uncontrolled Search Path Element. Yet the provided POC shows no connection to CWE-427.
Notepad++ & its plugins are installed by default in the protected “Program Files” directory, requiring administrator privileges to modify. If an attacker already has those rights, they could replace any system file - so targeting a plugin is pointless.
This logic applies to countless Windows applications, making CVE-2025-56383 meaningless. It’s not a real vulnerability, just a Dubious security vulnerability: Attacking the application directory in order to fool yourself.
We urge some “security experts” to stop blindly trusting authority and start reading POCs with common sense.
This release, like the previous version v8.8.3, is signed with the self-signed certificate. If your antivirus complains that the 8.8.5 version you downloaded here contains a virus or malware, this is likely a false positive. Please report it to the antivirus company.
In this version, the ability to paste multiline content into Find/Replace fields has been added. UAC handling for saving & the pin tab performance have been improved, and full Read-Only modes are now implemented.
This release also includes various bug-fixes & enhancements. You can view the full list of improvements for version 8.8.6 and download it here:
Regression and critical bug report here:
https://community.notepad-plus-plus.org/topic/27174/notepad-v8-8-6-release
Do more to stop war - keep helping Ukraine
