Skip to main content

Notepadnext

1 CVEs product

Monthly

CVE-2026-42214 HIGH PATCH This Week

Command injection in Notepad Next versions prior to 0.14 allows arbitrary code execution when opening a specially crafted file. The detectLanguageFromExtension() function directly interpolates file extensions into a Lua script without sanitization, and because the full Lua standard libraries (os, io, package) are unconditionally loaded, an attacker can execute system commands by embedding Lua code in a malicious filename. Vendor-released patch available in version 0.14 (commit f3ca1b10). EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Code Injection RCE Notepadnext
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Command injection in Notepad Next versions prior to 0.14 allows arbitrary code execution when opening a specially crafted file. The detectLanguageFromExtension() function directly interpolates file extensions into a Lua script without sanitization, and because the full Lua standard libraries (os, io, package) are unconditionally loaded, an attacker can execute system commands by embedding Lua code in a malicious filename. Vendor-released patch available in version 0.14 (commit f3ca1b10). EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Code Injection RCE Notepadnext
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy