Remember when Notepad was just… Notepad? A simple text editor nobody asked to be modernized?
Yeah, Microsoft didn’t care either. They bolted on Markdown support and AI features anyway. And now we’ve got CVE-2026-20841. Remote code execution. Via a text file. This is the kind of thing that makes you go “oh come on, really?”
Does it not invoke the browser to do it? The article and associated pages don’t really go into how the whole flow it works.
It uses a more generic shell linking method, that doesn’t just load web URLs but also file paths, including to executables.
https://news.ycombinator.com/item?id=46971516