A newly discovered vulnerability in Windows Notepad has been patched by Microsoft on its February 2026 Patch Tuesday, tracked as CVE-2026-20841 with a high-severity CVSS of 8.8. The flaw converts a simple Markdown file into a weapon, allowing remote code execution when a user clicks a specially crafted link, and it is described as Improper neutralization of special elements used in a command.
The attack vector is network-based but requires user interaction, with the malicious code executing in the same security context as the user who opened the Markdown file and gaining whatever privileges they hold. Notepad’s ability to render Markdown is the attack surface, and the exploit does not run in a sandbox.
According to MSRC, Microsoft fixed the Notepad flaw alongside a broader update set that addressed 58 vulnerabilities, including six actively exploited and three publicly disclosed zero-days, and users are urged to update via the Microsoft Store or Windows Update.