Notepad's new Markdown feature added a severe vulnerability that's just been patched — Is it enough to make Microsoft leave the lightweight app alone?

Notepad, one of the oldest and most reliable apps in the Windows ecosystem, has been undergoing some big changes during the Copilot AI era. Unfortunately, one of its new features was prone to a serious vulnerability that Microsoft has now patched with a February 10 security update.

No, this is not the same vulnerability discovered in the Notepad alternative Notepad++. Just very bad timing.

Microsoft says the Notepad vulnerability CVE-2026-20841 stems from "improper neutralization of special elements in a command ('command injection')" in the app. In other words, this was an RCE flaw that allowed bad actors to "execute code over a network" using the Notepad app.

The vulnerability lies in Notepad's relatively new Markdown feature that the app picked up in 2025. According to Microsoft, if attackers convinced or tricked a user into opening a malicious link in a Markdown file via Notepad, the app would gladly go ahead and execute remote files.

Worse, because the malicious code was executed in the security parameters of the user in the Notepad app, the bad actor would thereby have the same security permissions. Not great.

This now-patched vulnerability hits an 8.8 on the Common Vulnerability Scoring System (CVSS). For reference, 10 is the highest, most severe value. In better news, Microsoft lists the vulnerability as being unproven in terms of "in-the-wild" exploitation.

The Notepad vulnerability has now been patched with the February 2026 Patch Tuesday update, so you want to be sure to keep your PC up-to-date. It appears the vulnerability was active from version 11.0.0 to before 11.2510.

Does Notepad really need all of these new features?

Notepad has traditionally been a lightweight, simple app that edits text. Then came Microsoft's obsession with putting AI everywhere; Notepad was no exception.

While often useful, not all Notepad users feel the need to add additional features to the lightweight app. My colleague and Windows Central Senior Editor Ben Wilson highlighted the issue last week when he expressed frustration over being locked out of Notepad due to server issues at Microsoft.

Microsoft has more recently walked back its Windows 11 AI overload after pushback from the community, although concrete proof of this mindset shift remains to be seen.

Following Notepad++'s state-sponsored hijacking and Windows Notepad's vulnerability and newfound bloat, you might want to check out an open-source and free Notepad alternative I found on GitHub.

(via Neowin)

Frustrated with new features in Notepad, whether they add severe vulnerabilities or not? Let me know in the comments section!

Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.