Microsoft fixes Notepad flaw that could trick users into clicking malicious Markdown links

Microsoft has fixed a serious security vulnerability affecting Markdown files in Notepad. In the company’s Tuesday patch notes, Microsoft says a bad actor could carry out a remote code execution attack by tricking users “into clicking a malicious link inside a Markdown file opened in Notepad,” as reported earlier by The Register.

Clicking the link would “launch unverified protocols,” allowing attackers to remotely load and execute malicious files on a victim’s computer, according to the patch notes. Microsoft says there isn’t any evidence of attackers exploiting the Notepad vulnerability (CVE-2026-20841) in the wild, but it issued a fix for the flaw in its Tuesday patch.

Microsoft initially added support for Markdown, a plaintext formatting language, to Notepad on Windows 11 last May. The move contributed to criticism that Microsoft is filling its operating system with bloatware, including by stuffing new features and AI capabilities into apps like Notepad and Paint.

Notepad isn’t the only text editor that has faced security issues recently, as the third-party Notepad++ app disclosed that some users may have downloaded a malicious update linked to Chinese state-sponsored attackers.