Is there a patch available for CVE-2026-6539?

Yes, a patch is available for CVE-2026-6539. Update the affected software to the latest version immediately.

Notepad++ CVE-2026-6539

Q: What is the CVSS score of CVE-2026-6539?

CVE-2026-6539 has a CVSS 4.0 base score of 4.6 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26436 MEDIUM

Use of Externally-Controlled Format String (CWE-134)

2026-04-30 VulnCheck

Denial Of Service Information Disclosure

4.6

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

CVSS changed

Apr 30, 2026 - 21:22 NVD

4.4 (MEDIUM) 4.6 (MEDIUM)

Analysis Generated

Apr 30, 2026 - 21:00 vuln.today

EUVD ID Assigned

Apr 30, 2026 - 20:45 euvd

EUVD-2026-26436

Analysis Generated

Apr 30, 2026 - 20:45 vuln.today

Patch released

Apr 30, 2026 - 20:45 nvd

Patch available

CVE Published

Apr 30, 2026 - 20:31 nvd

MEDIUM 4.6

DescriptionNVD

Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents.

AnalysisAI

Format string injection in Notepad++ 8.9.3 Find Results panel handler allows local attackers to cause denial of service and disclose stack memory by distributing malicious nativeLang.xml language pack files that trigger unsafe format string interpretation during search operations. User interaction is required to load the poisoned language pack and perform a search. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6539 vulnerability details – vuln.today

Back

Notepad++ CVE-2026-6539

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

Notepad++ CVE-2026-6539

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code