For over four decades, Windows Notepad has been the basic text editor of choice for many a discerning PC user. In recent years, though, Microsoft has been steadily adding all kinds of features to it, turning it from a barebones word processor into something decidedly more complex. Unfortunately, the addition of formatting and tables now includes one more feature: a remote code execution vulnerability that could let hackers run all kinds of nasty stuff on your PC.
Microsoft acknowledges the issue in its security update guide, snappily labelled as CVE-2026-20841. With a common vulnerability base score of 8.8 and temporal score of 7.7, it’s rated as a ‘high’ security problem.
Basically, it all works like this: A user opens up a Markdown file that contains an innocent-looking link in it, but upon opening said link, Notepad then starts to load and execute remote files that scrape data or do other nasty stuff with the computer. If the user has admin rights, then the attacker would have the same privileges too.
Like so many vulnerabilities of this kind, the computer would need to be connected to a network for the attacker to gain remote access, and it would only trigger if the user opened the Markdown file and then clicked on the link inside it. You’d think that this would mean that almost nobody would be affected by the problem, but the fact that cybercrime is such a problem these days just shows how many folks would be at risk.
If you’re wondering what Markdown is, it’s a simple markup language that can be used to translate basic text into HTML, and it’s what Microsoft uses to give Notepad the ability to add tables and formatting (e.g. bold or italic) to a text document. If you’ve ever used an app where you’ve added two asterisks before a word to make it go bold, then you’re probably using Markdown to do this. Well, the app is, but you get what I mean.
Notepad also has a Copilot feature, as well as Markdown support, but at least that’s secure. Hopefully. (Image credit: Microsoft)
This security vulnerability isn’t an issue with Markdown itself, just how Notepad renders it, but exactly how Microsoft will fix this isn’t clear at this stage. For now, though, you can avoid the problem entirely by sticking to some important procedures: Do not download any file that you can’t verify the integrity of its source and never click on a random link.
The good news is that there is currently no known exploitation of this vulnerability doing the rounds out in the wild, and even if there was, it’s pretty straightforward to avoid putting your PC into harm’s way. But given the simplicity of the hack, you’d think that Microsoft would have already thought about the possibility of it before going all willy-nilly with expanding Notepad’s feature set.
