Skip to main content

Notepad Next CVE-2026-42214

| EUVDEUVD-2026-28410 HIGH
Code Injection (CWE-94)
2026-05-07 GitHub_M
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 07, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 07, 2026 - 19:47 vuln.today
Analysis Generated
May 07, 2026 - 19:47 vuln.today
CVE Published
May 07, 2026 - 18:14 nvd
HIGH 7.8

DescriptionGitHub Advisory

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.

AnalysisAI

Command injection in Notepad Next versions prior to 0.14 allows arbitrary code execution when opening a specially crafted file. The detectLanguageFromExtension() function directly interpolates file extensions into a Lua script without sanitization, and because the full Lua standard libraries (os, io, package) are unconditionally loaded, an attacker can execute system commands by embedding Lua code in a malicious filename. Vendor-released patch available in version 0.14 (commit f3ca1b10). EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Technical ContextAI

Notepad Next is a cross-platform reimplementation of Notepad++ written in C++ with embedded Lua scripting for language detection and configuration. The vulnerability stems from unsafe string interpolation (CWE-94: Improper Control of Generation of Code) in the detectLanguageFromExtension() function, which previously constructed Lua code using QString::arg() to inject the file extension directly into a script template. The application calls luaL_openlibs() to load all standard Lua libraries, including os.execute() and io.popen(), which provide full operating system access. The patch (commit f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc) refactors the code to use lua_setglobal() via new setVariable() methods, preventing code injection by passing the extension as data rather than executable code. The commit also restricts execute() calls to compile-time string literals using C++ template size parameters, preventing runtime string construction from being executed.

RemediationAI

Upgrade to Notepad Next version 0.14 or later, released at https://github.com/dail8859/NotepadNext/releases/tag/v0.14, which implements parameterized Lua variable assignment via lua_setglobal() instead of string interpolation. The fix is confirmed in commit f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc. If immediate upgrade is not feasible, implement file name validation to reject files with suspicious extensions containing Lua syntax characters (parentheses, semicolons, quotes, lua keywords like 'os.execute'). Organizations can also restrict Notepad Next file associations to prevent automatic opening of unexpected file types, though this reduces functionality. Train users not to open files with unusual or obfuscated extensions from untrusted sources. No official workaround disables the vulnerable code path without breaking language detection functionality, making upgrade the only complete remediation.

Share

CVE-2026-42214 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy