ThreatsDay Bulletin Highlights Microsoft Notepad Markdown Link RCE (CVE-2026-20841)
Microsoft patched a Windows Notepad command-injection vulnerability, CVE-2026-20841 (CVSS 8.8), that can lead to remote code execution when a user opens a Markdown file in Notepad and clicks a crafted malicious link. The issue is described as improper neutralization of special elements used in a command, enabling an attacker to trigger execution of remote or local payloads in the security context of the logged-in user. Public proof-of-concept examples indicate the flaw can be exercised using Markdown file:// links pointing to executables (e.g., file://C:/windows/system32/cmd.exe) and other special URI handlers.
The reporting appears as part of a broader weekly “ThreatsDay” roundup that also references other, separate security stories (e.g., AI prompt injection/RCE themes and other malware/exploit items), but the concrete, actionable item consistently detailed is the Notepad Markdown-link RCE and its patch. A separate “Daily Cyber News” post discusses Microsoft releasing fixes for multiple exploited flaws across widely deployed products, but it does not specifically corroborate the Notepad CVE or the Markdown-link exploitation path described in the roundup, making it contextually related to Microsoft patching activity but not the same discrete vulnerability story.
Timeline
Feb 16, 2026
Munge vulnerability fixed after roughly 20 years
A long-standing Munge vulnerability, tracked as CVE-2026-25506, was finally fixed after existing for about two decades. The recap highlights the remediation as a notable legacy-security milestone.
Feb 16, 2026
Apple patches dyld zero-day used in targeted attacks
Apple disclosed and fixed CVE-2026-20700, a dyld memory corruption zero-day reportedly used in sophisticated targeted attacks. The patch marked a significant response to active exploitation.
Feb 16, 2026
Chrome zero-day CVE-2026-2441 is disclosed and patched
Google disclosed and patched CVE-2026-2441, a Chrome use-after-free vulnerability reported as actively exploited. The fix was included among the week's major browser and platform security updates.
Feb 16, 2026
Microsoft removes hijacked AgreeTo add-in from its store
After the Outlook add-in hijack was identified, Microsoft removed the AgreeTo add-in from the Microsoft store. This was the vendor response to the credential-theft campaign tied to the add-in.
Feb 16, 2026
Attackers exploit abandoned Outlook add-in domain to steal 4,000+ credentials
A previously legitimate Outlook add-in called AgreeTo was repurposed into a phishing kit after attackers took over an abandoned associated domain. The campaign resulted in theft of more than 4,000 Microsoft account credentials.
Feb 12, 2026
Law enforcement action targets $73.6 million pig-butchering scam
Authorities took action against a pig-butchering fraud operation involving $73.6 million in losses. The bulletin cites the case as a notable law-enforcement development during the reporting period.
Feb 12, 2026
Global Telnet traffic drops ahead of GNU InetUtils telnetd auth-bypass disclosure
Researchers observed an anomalous global collapse in Telnet traffic that may indicate pre-disclosure mitigation activity related to CVE-2026-24061, a critical GNU InetUtils telnetd authentication-bypass flaw. The traffic shift was noted as an unusual ecosystem signal around the vulnerability.
Feb 12, 2026
Quest Desktop Authority named-pipe flaw enables SYSTEM-level RCE
A major vulnerability in Quest Desktop Authority was disclosed involving a named-pipe issue that could allow SYSTEM-level remote code execution. The bulletin presents it as a significant newly revealed enterprise software risk.
Feb 12, 2026
Anthropic discloses unpatched zero-click Claude Desktop Extensions RCE risk
Researchers reported a zero-click remote code execution risk in Claude Desktop Extensions driven by prompt-injected Google Calendar events. Anthropic chose not to fix the issue, making the disclosure itself a notable development.
Feb 12, 2026
Microsoft patches Windows Notepad Markdown link RCE
Microsoft patched CVE-2026-20841, a command-injection flaw in Windows Notepad that could allow remote code execution through malicious Markdown links. The issue was highlighted as a newly patched exposure in the February threat roundup.
Dec 31, 2025
Google patches Looker RCE and authorization-bypass chain
Google patched a vulnerability chain in Looker tracked as CVE-2025-12743 that could enable remote code execution and authorization bypass. The bulletin cites this as a major disclosed and remediated enterprise software issue.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
Related Stories
Windows Notepad Markdown Link Validation Flaw Enables Arbitrary Command Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store version) tracked as **CVE-2026-20841**, where improper validation of links in Markdown (`.md`) files can lead to arbitrary command execution in the context of the logged-in user. The flaw can be triggered when a victim opens a specially crafted Markdown file and clicks a rendered hyperlink; Notepad’s Markdown rendering/tokenization pipeline turns link text into interactive elements, and the click handler passes attacker-controlled link values onward with insufficient sanitization. Technical reporting indicates Notepad forwards the link target to `ShellExecuteExW()` with only minimal filtering (e.g., stripping leading/trailing slashes), allowing malicious protocol URIs such as `file://` and `ms-appinstaller://` to be invoked via registered protocol handlers. Exploitation is primarily social-engineering driven (email, downloads, or other delivery mechanisms) and requires user interaction (opening the file and clicking the link), but can result in execution of attacker-chosen commands or loading attacker-controlled content depending on protocol handler behavior and system configuration; the issue was disclosed via **Zero Day Initiative** and credited to researchers including Cristian Papa and Alasdair Gorniak (Delta Obscura), with additional analysis referenced by third-party reporting.
1 months ago
Windows Notepad Markdown Link Handling Flaw Enables Remote Code Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store) app, tracked as **CVE-2026-20841** (CVSS 8.8), caused by **command injection** (`CWE-77`) tied to improper neutralization of special elements used in commands. The weakness can be triggered when a user opens a booby-trapped **Markdown (`.md`)** file in Notepad and clicks an embedded malicious link; the app can be coerced into launching **unverified protocols** that load and execute remote content, resulting in code execution in the **security context of the logged-in user** (potentially full compromise if the user has admin rights).
3 weeks ago
Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for **Windows**, **Azure**, and **developer tooling**, including several high-impact issues spanning **remote code execution (RCE)**, **elevation of privilege (EoP)**, **spoofing**, **information disclosure**, **denial of service**, and **security feature bypass**. Notable items include **Azure SDK for Python RCE** `CVE-2026-21531` (CVSS 9.8; **deserialization of untrusted data**), **Windows Shell security feature bypass** `CVE-2026-21510` (CVSS 8.8; exploitability listed as **E:F**), **GitHub Copilot/Visual Studio/VS Code** issues enabling **RCE/EoP/feature bypass** (`CVE-2026-21256`, `CVE-2026-21523`, `CVE-2026-21257`, `CVE-2026-21518`), and **Azure Local RCE** `CVE-2026-21228` (CVSS 8.1; **improper certificate validation**). Additional Windows platform flaws include **Desktop Window Manager EoP** `CVE-2026-21519` (type confusion), **HTTP.sys EoP** `CVE-2026-21232` (untrusted pointer dereference), **WinSock Ancillary Function Driver EoP** `CVE-2026-21238` (improper access control), **Windows Storage EoP** `CVE-2026-21508`, **WSL EoP** `CVE-2026-21237`, **Microsoft Word security feature bypass** `CVE-2026-21514`, **Outlook spoofing** `CVE-2026-21511`, **Windows LDAP DoS** `CVE-2026-21243`, plus **ACI Confidential Containers information disclosure** `CVE-2026-23655` and **Azure IoT Explorer information disclosure** `CVE-2026-21528`. Separately, a detailed third-party writeup described a **Windows Error Reporting Service** local privilege escalation, `CVE-2026-20817`, patched in January 2026, where the **WER service** (`wersvc.dll`) running as `NT AUTHORITY\SYSTEM` allegedly fails to validate requester permissions over **ALPC**, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as *SeDebugPrivilege*, *SeImpersonatePrivilege*, and *SeBackupPrivilege*). Another third-party report highlighted a long-standing **libpng** heap buffer issue, `CVE-2026-25646` (CVSS 8.3), in `png_set_quantize()` that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced **libjpeg-turbo** `CVE-2023-2804` (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
2 months ago