This is my favorite part of this story. Do you want remote code execution? Because [fixing things that aren't broken] is how you get remote code execution.
I thought it is by introducing an RCE vulnerability that you get an RCE vulnerability.
I'm being facetious of course, but this recent rhetorical trend of people confidently vouching for "pet" in "pet vs. cattle" is not a sustainable decision, even if it's admittedly plain practical on the short to medium run, or in given contexts even longer. It's just a dangerous and irresponsible lesson to blindly repeat I think.
Change happens. Evidently, while we can mechanistically rule out several classes of bugs now, RCEs are not one of those. Whatever additional guardrails they had in place, they failed to catch this *. I think it's significantly more honest to place the blame there if anywhere. If they can introduce an RCE to Notepad *, you can be confident they're introducing RCEs left and right to other components too **. With some additional contextual weighting of course.
* Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
** Under the interpretation that this was an RCE, which I question.
Meanwhile TextEdit on Mac always rendered HTML. Which seems useless until you realize it can also edit and save as HTML. So there's casually a wysiwyg web editor built into macOS that idk how many people use.
I think it's more likely that Microsoft is vibe coding slop garbage to replace their core apps that were literally better.
Windows 10 explorer.exe is 100x faster than Windows 11 explorer, it's not even close.
It also signals the death knell for Windows native apps. Microsoft can't make them anymore. It won't be long until even Excel is a Electron sloplication.
It was already true that an attacker could trick a user into copying a malicious link inside a file opened in Notepad to their browser, was that also a Remote Code Execution Vulnerability?
You can trick the user into copying the same malicious link, but browsers have generally already implemented the same mitigation that is Microsoft's fix for this issue inside Notepad (specifically, prompting before opening outside applications after the user enters or clicks a URL that isn't one of the built-in schemes).
Much worse:
CVE-2026-20682
Apple Notes Note Deletion Logic Flaw (An attacker may be able to discover a user’s deleted notes.)
Many has not upgraded to iOS 26.3 yet.
I recently thought my keyboard was faulty. I take my notes on notepad, and after a recent update, sensed that keystrokes occasionally get missed or delayed. After a few days, I noticed it was not happening on Google Docs. On a whim I checked Notepad settings and found a new setting, enabled by default: "AI features > Copilot". I disabled it, along with "Autocorrect", and haven't had the problem since.
Notepad is supposed to be a bare bones editor -- where you go when everything else fails. The VI of Windows. If they want a rich editor, they should bring back WordPad.
If you want to make a joke, you can suggest it as a new feature from the parameters of Microsoft To Do. Seems like the only Microsoft app that doesn't yet have it... BTW it can be disabled in Notepad settings.
> Coloring book will be available only on Copilot+ PCs. To use Coloring book, you will need to sign in with your Microsoft account.
Can someone please explain why these two things are ever simultaneously true? You buy the stupid Copilot+ PC that has "AI" NPU hardware, right? So the AI features should be able to run locally. But if you have to sign in with a Microsoft account, then surely, it doesn't run locally, which begs the question, why does it require a Copilot+ PC at all?
Not even going to bother asking "does anybody want this to begin with" because at this point there is no real need to bother asking that.
I feel the deepest existential pain in my heart that despite companies being 'all in' on AI, they can't integrate anything meaningful that would make sense to the end use, but would require even a braincells worth of mental effort of ML expertise or actual requirements people have.
My two favourite 'AI' tools in image editing have been ones that can replace tedious work.
One such example are segmentation models that can be used for smart cutouts, removing backgrounds etc.
Now we have both 'segmentation' and 'AI' in paint - but the segmentation uses the exact same shitty flood fill with tolerance that's probably existed in the first paint program at Xerox PARC, while the 'AI' feature is another by-the-numbers crappy stable diffusion model that's strictly worse than anything you could get with your first Google search.
I read somewhere that even for the "Copilot" things that supposedly run locally, windows needs to send a request to microsoft to confirm if your input is allowed by their rules.
Microsoft really want to force you to log in with an MS account, as well as slurp all your documents into the spy cloud, and they keep pushing back on the various ways round this people have found.
(I found an odd one: for some reason I can't log into my PC with my MS account, which let me create the local account I actually wanted. System broken in my favor.)
The best way is to set up samba on a Linux machine, even a raspberry pi, and create a domain. Then you can create group policy to turn off a lot of nonsense and set up your computer by connecting to the domain. No MS account required, although you can associate one of you like.
Windows feels like it has a lot of attrition from home users now and perhaps it is only a matter of time before it's no longer worth writing exclusive software for it.
The reason we're getting this AI gumbo is that obviously the product people at M$ we're told: "Make money by selling AI features!!!". Which flipped their minds from their usual "I am Steve Jobs" fantasies, which tell them to _consider the User experience first_, to _Consider the companie$ experience first_, and they can't keep the two concepts in their little heads at the same time because they are, after all, just product people.
Ironic how Notepad used to be too simple, making it useless as a text editor in many cases. In particular, it didn't support UNIX line endings and files larger than a few MB.
The there was a brief moment where it became decent. Still a barebones text editor, but it could actually edit text, what I think most people expected Notepad to be.
And now, it is going the other way, with "AI" features no one wanted, and also "Markdown support" which is ironic since Markdown is designed to look good in a regular text editor. Now we have something that isn't really a text editor, but not really a wysiwyg editor either, it has some advanced features like AI, but is lacking features most other semi-advanced text editors have (ex: syntax highlighting).
Yeah, Notepad was originally nothing more than a Win32 multiline textbox and two functions, one of which read the file and set the textbox value to the contents and the other took the textbox value and wrote it to the file. Every other menu option simply changed some existing property of the textbox.
I assume there's like a single manager who's job it was was to maintain notepad and force use of AI, so obviously, vibe code needless features because if it's not broke, how can you fix it with AI.
I've never liked Windows but did appreciate the dumb simplicity of parts of it. Especially MS Paint. Like Mac Preview has always had all these nice advanced features, but lacked one simple thing most people need, a frikin pencil tool. Then they added a pencil but made it try to turn your scribbles into neat shapes every time... with fill.
Yeah IDK. Wordpad is built around rich text, with all the weirdness and complexity that comes with it. I know for a fact that .rtf is absurdly complicated to work with, and I assume that .docx is similar.
I’m willing to bet that adding markdown to Notepad was a lot simpler than trying to make it work in Wordpad, especially since you’d probably still have to support rich text.
The RichEdit control handles parsing RTF (I believe there was a CVE-level bug about RTF-handling in RichEdit - ahh - here we go https://www.kb.cert.org/vuls/id/368132/), the programmer/app is insulated from grokking RTF.
Adding realtime conversion of text-only Markdown to the processed-richtext Markdown is slightly more difficult than an instant message-type edit control converting a text :) to a unicode emoji character representing :)
You'd have some bookkeeping to remember which lines are markdown and which are plain text. But it's not rocket science.
Imagine Win11-Notepad as WordPad with all the UI for rich text formatting disabled.
When MS removed Solitaire and made it an app, that should have been the sign to move.
When they introduced a mobile first UI onto a desktop OS...
When they forced mandatory Microsoft accounts...
When they started saving files that had no place being in one drive to the cloud by default and charging people for it...
When they announced the worst AI privacy disaster in computing OS history...
When their updates refused to install cleanly and bricked people's computer to the point of hardware damage...
Seriously thinking I might have Stockholm syndrome at this point. To me the best windows would be Windows 11's kernel and libraries with Windows 7's UI and apps. Because it's been all down hill (generally) since there.
It's not stockholm syndrome for a lot of people. Microsoft is so firmly entrenched in so much of the corporate world that you can't get away from them. My mom was in the market for a new laptop recently, and I so badly wanted to get her setup with a MacBook Air, but it's not an option because the Sage accounting software she uses for my dad's business is Windows only. And furthermore, the business itself (a small pawn shop) is forced to use some specific software to manage inventory (I believe it allows police to access the database to track serial numbers in finding stolen goods or something), which is a webapp using some antiquated decades-old technology that only runs in Microsoft Edge's IE-compatibility mode (which has become a more and more difficult incantation to enable over the years) and I believe that can only be used on the Windows version of Edge.
For me it's currently the minimal-hassle way to make my Steam library runnable. But it feels like we're moving in a good direction thanks to Valve's efforts where one day I may be able to never boot into Windows on my PC.
> When they introduced a mobile first UI onto a desktop OS…
That's when I jumped to Macs and haven't looked back since. Windows is just a glorified game console to me now, but I have enough fun with PS5/Switch exclusives.
Though macOS is also becoming annoying, not quite to that breaking point yet, but worrying
Meanwhile Linuxland seems like a chaos of 10000 people who all think they're right, under an anal overlord
Maybe it's time to dig the Commodore 64 back up? :')
But who cares though, soon AI will make operating systems meaningless, right?
> To me the best windows would be Windows 11's kernel and libraries with Windows 7's UI and apps.
Does anyone now how to achieve that? What happens when you replace the kernel in a Windows 7 installation with the one from Windows 11? How is the manual update procedure for kernels on MS Windows?
They’re turning Notepad into what Wordpad was (or was supposed to be). Now everyone looking for the light weightiest *.txt editor must find a new tool...
Edit is unironically one of my favorite text editors these days. It opens incredibly fast compared to everything else I use, it's easy to use, works fine on Linux. It's not going to replace emacs or VS Code, but it's incredibly handy for basic editing chores.
Notepad++ is solid but they had a recent kerfuffle involving their security practices and the response didn't inspire much confidence. But if you turn off auto-updates then it's a good alternative if you're still on Windows.
The issue Notepad++ is having, is the same as a lot of open source projects: They don't have a ton of money, don't have a business entity, and are struggling to get/keep a software-signing key in those circumstances.
So the people taking pot shots at the developers, I guess, maybe be more specific with what they did wrong and what they should have done instead. Because if you actually understand the history/circumstances (and the fact it was a third-party hosting provider compromised), one would expect more blame on the systemic under-funding of OSS than "developers bad."
Are people wanting them to create a business, monetize Notepad++, so that they no longer have issues with hosting/certificates? I'm guessing not.
More than a small kerfuffle. A supply chain attack by a state actor, believed to be China, resulted in undetected malicious code executions from June 2025 to December 2025.
I didn't realize until recently that the very popular Notepad++ was such a lightning rod over the years for controversy and (though I can't guarantee correlation is causation) security issues.
The problem is usually when you're using notepad, it's in some situation where you don't want to install another exe. Like you're using someone else's PC or a random one in a library or something. This needs to be built in.
While I probably haven't played either in a decade, I bring sol.exe and winmine.exe on general principle, as both had their "Copilot in Notepad" shark-jumping moments all the way back in Windows 8 with the introduction of achievements and in-app purchases.
I love Emacs, but I don't see how a Lisp platform with a web browser, a Tetris implementation, and 4 terminal emulators (shell, term, ansi-term, eshell) can be considered 'lightweight'.
The possibility of software being a personal, creative, expressive endeavor (which often includes politics), something I believed in back when I was in university twenty years ago, is a feeling that's receded deeply into the past. That might be as much about me as it is about the world, but I miss it.
I remember a few years back there was an update where it would actually type the political message when you created a new text document. I abandoned it ever since.
The creator is also very selective about the type of politics he supports.
Agreed... 5) is minor and just the result of saying "We're not going to bother trying to track if a file goes from having unsaved changes to not as a result of undo/redo - once a file gets marked as having unsaved changes, the only way to 'clear' that is to save the file again."
That option is much better than getting the undo/redo vs unsaved changes tracking wrong and allowing unsaved changes to be easily lost, like notepad does. :-P
Readit News
20260211 https://news.ycombinator.com/item?id=46971516 Windows Notepad App Remote Code Execution Vulnerability (804 points, 516 comments)
20260210 https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> "An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad"
Other recent Notepad issues:
20260207 https://news.ycombinator.com/item?id=46927098 Microsoft account bugs locked me out of Notepad – Are thin clients ruining PCs? (187 points, 284 comments)
20260127 https://news.ycombinator.com/item?id=46780451 Windows 11 January Update Breaks Notepad (60 points, 25 comments)
I'm being facetious of course, but this recent rhetorical trend of people confidently vouching for "pet" in "pet vs. cattle" is not a sustainable decision, even if it's admittedly plain practical on the short to medium run, or in given contexts even longer. It's just a dangerous and irresponsible lesson to blindly repeat I think.
Change happens. Evidently, while we can mechanistically rule out several classes of bugs now, RCEs are not one of those. Whatever additional guardrails they had in place, they failed to catch this *. I think it's significantly more honest to place the blame there if anywhere. If they can introduce an RCE to Notepad *, you can be confident they're introducing RCEs left and right to other components too **. With some additional contextual weighting of course.
* Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
** Under the interpretation that this was an RCE, which I question.
[0] https://www.zerodayinitiative.com/blog/2026/2/19/cve-2026-20...
Windows 10 explorer.exe is 100x faster than Windows 11 explorer, it's not even close.
It also signals the death knell for Windows native apps. Microsoft can't make them anymore. It won't be long until even Excel is a Electron sloplication.
Deleted Comment
Notepad is supposed to be a bare bones editor -- where you go when everything else fails. The VI of Windows. If they want a rich editor, they should bring back WordPad.
Notepad's got Markdown, it's what LLMs crave.
Can someone please explain why these two things are ever simultaneously true? You buy the stupid Copilot+ PC that has "AI" NPU hardware, right? So the AI features should be able to run locally. But if you have to sign in with a Microsoft account, then surely, it doesn't run locally, which begs the question, why does it require a Copilot+ PC at all?
Not even going to bother asking "does anybody want this to begin with" because at this point there is no real need to bother asking that.
My two favourite 'AI' tools in image editing have been ones that can replace tedious work.
One such example are segmentation models that can be used for smart cutouts, removing backgrounds etc.
Now we have both 'segmentation' and 'AI' in paint - but the segmentation uses the exact same shitty flood fill with tolerance that's probably existed in the first paint program at Xerox PARC, while the 'AI' feature is another by-the-numbers crappy stable diffusion model that's strictly worse than anything you could get with your first Google search.
(I found an odd one: for some reason I can't log into my PC with my MS account, which let me create the local account I actually wanted. System broken in my favor.)
Windows feels like it has a lot of attrition from home users now and perhaps it is only a matter of time before it's no longer worth writing exclusive software for it.
Everything MS is doing in Windows is to this end.
They got to like step 3 of their 10 step master plan and gave up and have been lingering there.
Microsoft has been a walking husk of a company for the past decade and a half that somehow inexplicably stumbled into a trillion dollar valuation.
Its is Micro$oft after all :P
The reason we're getting this AI gumbo is that obviously the product people at M$ we're told: "Make money by selling AI features!!!". Which flipped their minds from their usual "I am Steve Jobs" fantasies, which tell them to _consider the User experience first_, to _Consider the companie$ experience first_, and they can't keep the two concepts in their little heads at the same time because they are, after all, just product people.
The there was a brief moment where it became decent. Still a barebones text editor, but it could actually edit text, what I think most people expected Notepad to be.
And now, it is going the other way, with "AI" features no one wanted, and also "Markdown support" which is ironic since Markdown is designed to look good in a regular text editor. Now we have something that isn't really a text editor, but not really a wysiwyg editor either, it has some advanced features like AI, but is lacking features most other semi-advanced text editors have (ex: syntax highlighting).
At least, it was good for a couple of years.
Isn’t it boring when a piece of software is just complete? In fact that’s an unacceptable state for it!
step 2: omg there's demand for features
step 3: turn notepad, whose point was to be a dumb simple thing, into a wordpad
step 4: get a raise because you "solved" the problem
Dead Comment
Step 6: GOTO 1.
[1] https://github.com/microsoft/edit
Make Microsoft Edit a Lightweight 'VS Code for the Terminal' - https://github.com/microsoft/edit/discussions/682
I’m willing to bet that adding markdown to Notepad was a lot simpler than trying to make it work in Wordpad, especially since you’d probably still have to support rich text.
The RichEdit control handles parsing RTF (I believe there was a CVE-level bug about RTF-handling in RichEdit - ahh - here we go https://www.kb.cert.org/vuls/id/368132/), the programmer/app is insulated from grokking RTF.
Here's sample code for opening an RTF file - https://learn.microsoft.com/en-us/windows/win32/controls/use...
Adding realtime conversion of text-only Markdown to the processed-richtext Markdown is slightly more difficult than an instant message-type edit control converting a text :) to a unicode emoji character representing :)
You'd have some bookkeeping to remember which lines are markdown and which are plain text. But it's not rocket science.
Imagine Win11-Notepad as WordPad with all the UI for rich text formatting disabled.
There is configurable syntax highlighting in vscode.
Should an app like Notepad ever embed a WebView? (with e.g. tauri-apps/wry instead of CEF now FWIU)? Not even for a Markdown Preview feature IMHO.
Deleted Comment
When they introduced a mobile first UI onto a desktop OS...
When they forced mandatory Microsoft accounts...
When they started saving files that had no place being in one drive to the cloud by default and charging people for it...
When they announced the worst AI privacy disaster in computing OS history...
When their updates refused to install cleanly and bricked people's computer to the point of hardware damage...
Seriously thinking I might have Stockholm syndrome at this point. To me the best windows would be Windows 11's kernel and libraries with Windows 7's UI and apps. Because it's been all down hill (generally) since there.
For me it's currently the minimal-hassle way to make my Steam library runnable. But it feels like we're moving in a good direction thanks to Valve's efforts where one day I may be able to never boot into Windows on my PC.
That's when I jumped to Macs and haven't looked back since. Windows is just a glorified game console to me now, but I have enough fun with PS5/Switch exclusives.
Though macOS is also becoming annoying, not quite to that breaking point yet, but worrying
Meanwhile Linuxland seems like a chaos of 10000 people who all think they're right, under an anal overlord
Maybe it's time to dig the Commodore 64 back up? :')
But who cares though, soon AI will make operating systems meaningless, right?
Does anyone now how to achieve that? What happens when you replace the kernel in a Windows 7 installation with the one from Windows 11? How is the manual update procedure for kernels on MS Windows?
[0] https://github.com/microsoft/edit
So the people taking pot shots at the developers, I guess, maybe be more specific with what they did wrong and what they should have done instead. Because if you actually understand the history/circumstances (and the fact it was a third-party hosting provider compromised), one would expect more blame on the systemic under-funding of OSS than "developers bad."
Are people wanting them to create a business, monetize Notepad++, so that they no longer have issues with hosting/certificates? I'm guessing not.
Theyre also very political and giving them access to my machine now feels even more risky.
20260202 https://news.ycombinator.com/item?id=46851548 Notepad++ hijacked by state-sponsored actors (917 points, 543 comments)
20260203 https://news.ycombinator.com/item?id=46878338 Notepad++ supply chain attack breakdown (384 points, 198 comments)
20250630 https://news.ycombinator.com/item?id=44426049 High-Severity Vulnerability in Notepad++ (39 points, 14 comments)
20230904 https://news.ycombinator.com/item?id=37385920 Multiple Notepad++ Flaws Let Attackers Execute Arbitrary Code (83 points, 39 comments)
20230830 https://news.ycombinator.com/item?id=37320304 Buffer Overflows in Notepad++ (68 points, 61 comments)
20230829 https://news.ycombinator.com/item?id=37311068 Notepad++ v8.5.6 still vulnerable to possible arbitrary code execution (18 points, 3 comments)
20211209 https://news.ycombinator.com/item?id=29499002 StrongPity variant hides behind Notepad++ installation (45 points, 28 comments)
20191030 https://news.ycombinator.com/item?id=21395251 Notepad++ issues attacked by Chinese commenters (237 points, 110 comments)
20191030 https://news.ycombinator.com/item?id=21400526 Notepad++ repository is being spammed after “Free Uyghur” release (82 points, 36 comments)
20190317 https://news.ycombinator.com/item?id=19329330 Notepad++ drops code signing for its releases (496 points, 327 comments)
20170308 https://news.ycombinator.com/item?id=13824032 Notepad++ V 7.3.3 – Fix CIA Hacking Notepad++ Issue (1101 points, 291 comments)
20150112 https://news.ycombinator.com/item?id=8876823 Notepad ++ hacked for Je Suis Charlie comments(web archive link) (65 points, 74 comments)
You can make old Notepad be the default cmd line by going to Apps > Advanced app settings > App execution aliases, and disable the Notepad setting
It can be installed easily via chocolatey.
EDIT: yes it does and it has actually been updated yesterday.
https://www.scintilla.org/SciTEDownload.html
https://www.scintilla.org/ScintillaHistory.html
Assuming most people don’t need to open 16TB files, they might as well use VS Code.
For a UI I’ve been using VSCode. It is quite quick when you disable all extensions and most settings.
> eMacs
I love Emacs, but I don't see how a Lisp platform with a web browser, a Tetris implementation, and 4 terminal emulators (shell, term, ansi-term, eshell) can be considered 'lightweight'.
Deleted Comment
Dead Comment
Dead Comment
https://en.wikipedia.org/wiki/Notepad%2B%2B#Political_messag...
The possibility of software being a personal, creative, expressive endeavor (which often includes politics), something I believed in back when I was in university twenty years ago, is a feeling that's receded deeply into the past. That might be as much about me as it is about the world, but I miss it.
The creator is also very selective about the type of politics he supports.
Deleted Comment
0) Set "When Notepad starts" option to "Start new session and discard unsaved changes"
1) New file
2) Type "abc" - note the "X" to close the file changes to a "O" (pretend that's a circle) to indicate unsaved changes
3) Save file - "O" changes back to "X"
4) Type "def" - "X" changes back to "O" because "def" is not on the file on disk
5) Undo, "def" disappears, "O" incorrectly remains...
6) Redo, "def" reappears, "O" incorrectly changes back to "X"
7) Close file. No prompt to save unsaved "def". Reopen file. "def" is gone
That option is much better than getting the undo/redo vs unsaved changes tracking wrong and allowing unsaved changes to be easily lost, like notepad does. :-P