Remember when Notepad was just… Notepad? A simple text editor nobody asked to be modernized?
Yeah, Microsoft didn’t care either. They bolted on Markdown support and AI features anyway. And now we’ve got CVE-2026-20841. Remote code execution. Via a text file. This is the kind of thing that makes you go “oh come on, really?”
Isn’t the point of a RCE that the user doesn’t need to click and run the malicious code? What makes this different from the user opening a site on a browser which is filled with links?
the browser knows its opening links and has a code base on how to do that
notepad isn’t suppost to fetch data when the file it opens contains code that acts like a link
Does it not invoke the browser to do it? The article and associated pages don’t really go into how the whole flow it works.
https://nvd.nist.gov/vuln/detail/CVE-2026-20841 this page would contain the best details on the CVE, there is a link to a forum discussing it
I don’t know for sure but I suspect it is like many of the other types of exploits where someone makes a normal looking URL but inside of it hides conditions that makes whatever is inspecting the URL to know that it should open in the web browser do something before it opens the web browser. Like before it starts the web browser does it it tells it to download some code and run it and that code then hijacks your “system” because the system service is running the code