Skip to main content

Notepad

15 CVEs product

Monthly

CVE-2026-6539 MEDIUM PATCH This Month

Format string injection in Notepad++ 8.9.3 Find Results panel handler allows local attackers to cause denial of service and disclose stack memory by distributing malicious nativeLang.xml language pack files that trigger unsafe format string interpretation during search operations. User interaction is required to load the poisoned language pack and perform a search. No active exploitation confirmed, but patch is available from vendor.

Denial Of Service Information Disclosure Notepad
NVD
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-3008 MEDIUM POC NEWS This Month

String injection in Notepad++ 8.9.3 leads to memory address disclosure or application crash when processing maliciously crafted input. Attackers can leverage this remotely without authentication (CVSS 4.0 score 10.0, AV:N/PR:N), though desktop application context suggests user interaction required despite UI:N in vector. Publicly available exploit code exists per GitHub repository llgsjsm/cve-2026-3008. Fixed in version 8.9.4 release candidate per community forum discussion. EPSS data not available for 2026 CVE.

Denial Of Service Notepad
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-5525 MEDIUM This Month

Stack-based buffer overflow in Notepad++ 8.9.3 file drop handler allows local authenticated users to cause application crash and potentially execute code by dragging and dropping a directory path of exactly 259 characters without a trailing backslash, triggering unbounded buffer write via automatic backslash and null terminator appending. CVSS 6.0 (High) reflects local attack vector and high complexity; no public exploit code or active KEV status identified, but upstream fix is confirmed available.

Buffer Overflow Stack Overflow Notepad
NVD GitHub VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-15556 HIGH KEV PATCH THREAT Act Now

Notepad++ versions prior to 8.8.9 contain an update integrity verification vulnerability (CVE-2025-15556) when using the WinGUp updater. The update mechanism fails to cryptographically verify downloaded metadata and installers, allowing man-in-the-middle attackers to serve malicious executables during the update process. KEV-listed, this supply chain risk affects one of the most widely used text editors on Windows.

RCE Notepad
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
4.3%
CVE-2023-47452 HIGH POC This Week

An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Notepad
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2023-6401 HIGH This Week

A vulnerability classified as problematic was found in NotePad++ up to 8.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Notepad
NVD VulDB
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-40166 MEDIUM POC This Month

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Notepad
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2023-40164 MEDIUM POC This Month

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Notepad
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2023-40036 MEDIUM POC This Month

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Notepad
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2023-40031 HIGH POC This Week

Notepad++ is a free and open-source source code editor. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Notepad
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2023-0909 MEDIUM POC This Month

A vulnerability, which was classified as problematic, was found in cxasm notepad-- 1.22. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Notepad
NVD VulDB
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-31902 MEDIUM POC This Month

Notepad++ v8.4.1 was discovered to contain a stack overflow via the component Finder::add(). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Notepad
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.6%
CVE-2022-32168 HIGH POC PATCH This Week

Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context of Notepad++. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Notepad
NVD GitHub
CVSS 3.1
7.8
EPSS
0.7%
CVE-2019-16294 HIGH POC This Week

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow RCE Memory Corruption Notepad +1
NVD GitHub Exploit-DB
CVSS 3.1
7.8
EPSS
9.8%
CVE-2014-9456 CRITICAL POC THREAT Emergency

Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Event element in an XML file. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 26.3%.

Buffer Overflow Notepad
NVD Exploit-DB
CVSS 2.0
10.0
EPSS
26.3%
Threat
4.3
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Format string injection in Notepad++ 8.9.3 Find Results panel handler allows local attackers to cause denial of service and disclose stack memory by distributing malicious nativeLang.xml language pack files that trigger unsafe format string interpretation during search operations. User interaction is required to load the poisoned language pack and perform a search. No active exploitation confirmed, but patch is available from vendor.

Denial Of Service Information Disclosure Notepad
NVD
EPSS 0% CVSS 6.6
MEDIUM POC This Month

String injection in Notepad++ 8.9.3 leads to memory address disclosure or application crash when processing maliciously crafted input. Attackers can leverage this remotely without authentication (CVSS 4.0 score 10.0, AV:N/PR:N), though desktop application context suggests user interaction required despite UI:N in vector. Publicly available exploit code exists per GitHub repository llgsjsm/cve-2026-3008. Fixed in version 8.9.4 release candidate per community forum discussion. EPSS data not available for 2026 CVE.

Denial Of Service Notepad
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

Stack-based buffer overflow in Notepad++ 8.9.3 file drop handler allows local authenticated users to cause application crash and potentially execute code by dragging and dropping a directory path of exactly 259 characters without a trailing backslash, triggering unbounded buffer write via automatic backslash and null terminator appending. CVSS 6.0 (High) reflects local attack vector and high complexity; no public exploit code or active KEV status identified, but upstream fix is confirmed available.

Buffer Overflow Stack Overflow Notepad
NVD GitHub VulDB
EPSS 4% CVSS 7.5
HIGH KEV PATCH THREAT Act Now

Notepad++ versions prior to 8.8.9 contain an update integrity verification vulnerability (CVE-2025-15556) when using the WinGUp updater. The update mechanism fails to cryptographically verify downloaded metadata and installers, allowing man-in-the-middle attackers to serve malicious executables during the update process. KEV-listed, this supply chain risk affects one of the most widely used text editors on Windows.

RCE Notepad
NVD GitHub VulDB
EPSS 1% CVSS 7.8
HIGH POC This Week

An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Notepad
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

A vulnerability classified as problematic was found in NotePad++ up to 8.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Notepad
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Notepad
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Notepad
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Notepad
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

Notepad++ is a free and open-source source code editor. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Notepad
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability, which was classified as problematic, was found in cxasm notepad-- 1.22. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Notepad
NVD VulDB
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Notepad++ v8.4.1 was discovered to contain a stack overflow via the component Finder::add(). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Notepad
NVD GitHub VulDB
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context of Notepad++. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Notepad
NVD GitHub
EPSS 10% CVSS 7.8
HIGH POC This Week

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow RCE +3
NVD GitHub Exploit-DB
EPSS 26% 4.3 CVSS 10.0
CRITICAL POC THREAT Emergency

Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Event element in an XML file. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 26.3%.

Buffer Overflow Notepad
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy