CVE-2026-20841: Notepad Markdown Flaw Allows Remote Code Execution
A Markdown handler bug in the modern Notepad app can run code when users click crafted links; update to Notepad build 11.2510 or later to patch.
- CVE-2026-20841 enables remote code execution through crafted links in Notepad Markdown preview.
- Affected versions are the Microsoft Store Notepad app 11.0.0 through 11.2509 on Windows 10 and Windows 11.
- The issue has a CVSS score of 8.8, requires user interaction by clicking a link, and a proof of concept is available.
- Microsoft released a fix on February 10, 2026; update Notepad to build 11.2510 or later immediately.
- Mitigations include disabling Markdown preview, AI suggestions, and link execution in Notepad settings.
- IT teams and developers who open untrusted files should prioritize patching and user awareness.