Remember when Notepad was just… Notepad? A simple text editor nobody asked to be modernized?
Yeah, Microsoft didn’t care either. They bolted on Markdown support and AI features anyway. And now we’ve got CVE-2026-20841. Remote code execution. Via a text file. This is the kind of thing that makes you go “oh come on, really?”
The remote code execution isn’t “via a text file”. It’s via a link in a text file, which Notepad now lets you actually click.
Just don’t click on links you don’t know the destination of (Notepad shows the destination for https links at least, on hover) and you don’t have any remote code executing.
You a have not seen what people these days fall for. Seen a lot of dumb stuff at work.
https://www.trendmicro.com/en_us/research/25/e/unmasking-fake-captcha-cases.html