Skip to main content

Notepad CVE-2026-3008

| EUVDEUVD-2026-25775 MEDIUM
Use of Externally-Controlled Format String (CWE-134)
2026-04-27 CSA
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

8
PoC Detected
Apr 27, 2026 - 18:57 vuln.today
Public exploit code
Severity Changed
Apr 27, 2026 - 10:22 NVD
CRITICAL MEDIUM
CVSS changed
Apr 27, 2026 - 10:22 NVD
10.0 (CRITICAL) 6.6 (MEDIUM)
Analysis Generated
Apr 27, 2026 - 09:00 vuln.today
CVSS changed
Apr 27, 2026 - 07:22 NVD
10.0 (CRITICAL)
EUVD ID Assigned
Apr 27, 2026 - 06:30 euvd
EUVD-2026-25775
Analysis Generated
Apr 27, 2026 - 06:30 vuln.today
CVE Published
Apr 27, 2026 - 06:04 nvd
MEDIUM 6.6

DescriptionCVE.org

Successful exploitation of the string injection vulnerability could allow an attacker to obtain memory address information or crash the application.

AnalysisAI

String injection in Notepad++ 8.9.3 leads to memory address disclosure or application crash when processing maliciously crafted input. Attackers can leverage this remotely without authentication (CVSS 4.0 score 10.0, AV:N/PR:N), though desktop application context suggests user interaction required despite UI:N in vector. Publicly available exploit code exists per GitHub repository llgsjsm/cve-2026-3008. Fixed in version 8.9.4 release candidate per community forum discussion. EPSS data not available for 2026 CVE.

CVE-2014-9456 CRITICAL POC
10.0 Jan 02

Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Ev

CVE-2025-15556 HIGH
7.5 Feb 03

Notepad++ versions prior to 8.8.9 contain an update integrity verification vulnerability (CVE-2025-15556) when using the

CVE-2023-47452 HIGH POC
7.8 Nov 30

An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msim

CVE-2023-40031 HIGH POC
7.8 Aug 25

Notepad++ is a free and open-source source code editor. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-32168 HIGH POC
7.8 Sep 28

Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (Ux

CVE-2019-16294 HIGH POC
7.8 Sep 14

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode ch

CVE-2022-31902 MEDIUM POC
5.5 Feb 01

Notepad++ v8.4.1 was discovered to contain a stack overflow via the component Finder::add(). Rated medium severity (CVSS

CVE-2023-40166 MEDIUM POC
5.5 Aug 25

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authe

CVE-2023-40164 MEDIUM POC
5.5 Aug 25

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authe

CVE-2023-40036 MEDIUM POC
5.5 Aug 25

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authe

CVE-2023-0909 MEDIUM POC
5.5 Feb 18

A vulnerability, which was classified as problematic, was found in cxasm notepad-- 1.22. Rated medium severity (CVSS 5.5

CVE-2023-6401 HIGH
7.8 Nov 30

A vulnerability classified as problematic was found in NotePad++ up to 8.1. Rated high severity (CVSS 7.8), this vulnera

Share

CVE-2026-3008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy