Skip to main content

Notepad++ CVE-2026-6539

| EUVDEUVD-2026-26436 MEDIUM
Use of Externally-Controlled Format String (CWE-134)
2026-04-30 VulnCheck
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
CVSS changed
Apr 30, 2026 - 21:22 NVD
4.4 (MEDIUM) 4.6 (MEDIUM)
Analysis Generated
Apr 30, 2026 - 21:00 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 20:45 euvd
EUVD-2026-26436
Analysis Generated
Apr 30, 2026 - 20:45 vuln.today
Patch released
Apr 30, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 30, 2026 - 20:31 nvd
MEDIUM 4.6

DescriptionCVE.org

Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents.

AnalysisAI

Format string injection in Notepad++ 8.9.3 Find Results panel handler allows local attackers to cause denial of service and disclose stack memory by distributing malicious nativeLang.xml language pack files that trigger unsafe format string interpretation during search operations. User interaction is required to load the poisoned language pack and perform a search. No active exploitation confirmed, but patch is available from vendor.

Technical ContextAI

Notepad++ uses nativeLang.xml language pack files to configure UI localization and search result formatting. The vulnerability exists in CWE-134 (Use of Externally-Controlled Format String), where the Find Results panel handler interprets format string specifiers (e.g., %x, %s, %n) from untrusted XML configuration without sanitization. When a user performs a search operation after loading a malicious language pack, these format strings are processed as if they were format string directives rather than literal text, allowing attackers to read stack memory or cause crashes. The affected product is identified by CPE cpe:2.3:a:notepad++:notepad++:*:*:*:*:*:*:*:*, confirming all versions prior to the fix are vulnerable.

RemediationAI

Vendor-released patch available: upgrade Notepad++ to version 8.9.4 or later from https://notepad-plus-plus.org/news/v894-released/. Users should download language packs only from official Notepad++ repositories and verify package integrity before installation. As an interim compensating control, restrict user permissions to install third-party language packs or disable custom language pack loading entirely by editing Notepad++ configuration files to prevent loading of unsigned or unverified nativeLang.xml files. However, this may limit legitimate localization functionality for international users. Until patched, users should avoid downloading language packs from untrusted community sources (third-party forums, mirrors, unofficial GitHub repositories) and only use officially distributed language packs. The patch addresses the root cause by sanitizing format string input in the Find Results panel handler, eliminating format string interpretation of XML-sourced configuration data.

CVE-2014-9456 CRITICAL POC
10.0 Jan 02

Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Ev

CVE-2025-15556 HIGH
7.5 Feb 03

Notepad++ versions prior to 8.8.9 contain an update integrity verification vulnerability (CVE-2025-15556) when using the

CVE-2023-47452 HIGH POC
7.8 Nov 30

An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msim

CVE-2023-40031 HIGH POC
7.8 Aug 25

Notepad++ is a free and open-source source code editor. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-32168 HIGH POC
7.8 Sep 28

Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (Ux

CVE-2019-16294 HIGH POC
7.8 Sep 14

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode ch

CVE-2026-3008 MEDIUM POC
6.6 Apr 27

String injection in Notepad++ 8.9.3 leads to memory address disclosure or application crash when processing maliciously

CVE-2022-31902 MEDIUM POC
5.5 Feb 01

Notepad++ v8.4.1 was discovered to contain a stack overflow via the component Finder::add(). Rated medium severity (CVSS

CVE-2023-40166 MEDIUM POC
5.5 Aug 25

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authe

CVE-2023-40164 MEDIUM POC
5.5 Aug 25

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authe

CVE-2023-40036 MEDIUM POC
5.5 Aug 25

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authe

CVE-2023-0909 MEDIUM POC
5.5 Feb 18

A vulnerability, which was classified as problematic, was found in cxasm notepad-- 1.22. Rated medium severity (CVSS 5.5

Share

CVE-2026-6539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy