Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
AnalysisAI
Command injection in Notepad Next versions prior to 0.14 allows arbitrary code execution when opening a specially crafted file. The detectLanguageFromExtension() function directly interpolates file extensions into a Lua script without sanitization, and because the full Lua standard libraries (os, io, package) are unconditionally loaded, an attacker can execute system commands by embedding Lua code in a malicious filename. Vendor-released patch available in version 0.14 (commit f3ca1b10). EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.
Technical ContextAI
Notepad Next is a cross-platform reimplementation of Notepad++ written in C++ with embedded Lua scripting for language detection and configuration. The vulnerability stems from unsafe string interpolation (CWE-94: Improper Control of Generation of Code) in the detectLanguageFromExtension() function, which previously constructed Lua code using QString::arg() to inject the file extension directly into a script template. The application calls luaL_openlibs() to load all standard Lua libraries, including os.execute() and io.popen(), which provide full operating system access. The patch (commit f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc) refactors the code to use lua_setglobal() via new setVariable() methods, preventing code injection by passing the extension as data rather than executable code. The commit also restricts execute() calls to compile-time string literals using C++ template size parameters, preventing runtime string construction from being executed.
RemediationAI
Upgrade to Notepad Next version 0.14 or later, released at https://github.com/dail8859/NotepadNext/releases/tag/v0.14, which implements parameterized Lua variable assignment via lua_setglobal() instead of string interpolation. The fix is confirmed in commit f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc. If immediate upgrade is not feasible, implement file name validation to reject files with suspicious extensions containing Lua syntax characters (parentheses, semicolons, quotes, lua keywords like 'os.execute'). Organizations can also restrict Notepad Next file associations to prevent automatic opening of unexpected file types, though this reduces functionality. Train users not to open files with unusual or obfuscated extensions from untrusted sources. No official workaround disables the vulnerable code path without breaking language detection functionality, making upgrade the only complete remediation.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28410