Microsoft has [1]patched a high-severity vulnerability in Windows 11's Notepad that allowed attackers to silently execute local or remote programs when a user clicked a specially crafted Markdown link, all without triggering any Windows security warning.

The flaw, tracked as CVE-2026-20841 and fixed in the February 2026 Patch Tuesday update, stemmed from Notepad's relatively new Markdown support -- a feature Microsoft added after [2]discontinuing WordPad and rewriting Notepad to serve as both a plain text and rich text editor. An attacker only needed to create a Markdown file containing file:// links pointing to executables or special URIs like ms-appinstaller://, and a Ctrl+click in Markdown mode would launch them. Microsoft's fix now displays a warning dialog for any link that doesn't use http:// or https://, though the company did not explain why it chose a prompt over blocking non-standard links entirely. Notepad updates automatically through the Microsoft Store.



[1] https://www.bleepingcomputer.com/news/microsoft/windows-11-notepad-flaw-let-files-execute-silently-via-markdown-links/

[2] https://tech.slashdot.org/story/23/09/03/0050200/after-28-years-microsoft-announces-it-will-remove-wordpad-from-windows