Search criteria
2 vulnerabilities found for notepad_next by dail8859
CVE-2026-42214 (GCVE-0-2026-42214)
Vulnerability from nvd – Published: 2026-05-07 18:14 – Updated: 2026-05-09 03:55
VLAI
Title
Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext
Summary
Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
Severity
7.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/dail8859/NotepadNext/security/… | x_refsource_CONFIRM |
| https://github.com/dail8859/NotepadNext/commit/f3… | x_refsource_MISC |
| https://github.com/dail8859/NotepadNext/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dail8859 | NotepadNext |
Affected:
< 0.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42214",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:59.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "NotepadNext",
"vendor": "dail8859",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext\u0027s detectLanguageFromExtension() function interpolates a file\u0027s extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T18:14:20.246Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g"
},
{
"name": "https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc"
},
{
"name": "https://github.com/dail8859/NotepadNext/releases/tag/v0.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dail8859/NotepadNext/releases/tag/v0.14"
}
],
"source": {
"advisory": "GHSA-m5fq-c9x5-w54g",
"discovery": "UNKNOWN"
},
"title": "Improper Control of Generation of Code (\u0027Code Injection\u0027) in dail8859/NotepadNext"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42214",
"datePublished": "2026-05-07T18:14:20.246Z",
"dateReserved": "2026-04-25T05:04:37.028Z",
"dateUpdated": "2026-05-09T03:55:59.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42214 (GCVE-0-2026-42214)
Vulnerability from cvelistv5 – Published: 2026-05-07 18:14 – Updated: 2026-05-09 03:55
VLAI
Title
Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext
Summary
Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
Severity
7.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/dail8859/NotepadNext/security/… | x_refsource_CONFIRM |
| https://github.com/dail8859/NotepadNext/commit/f3… | x_refsource_MISC |
| https://github.com/dail8859/NotepadNext/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dail8859 | NotepadNext |
Affected:
< 0.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42214",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:59.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "NotepadNext",
"vendor": "dail8859",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext\u0027s detectLanguageFromExtension() function interpolates a file\u0027s extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T18:14:20.246Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g"
},
{
"name": "https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc"
},
{
"name": "https://github.com/dail8859/NotepadNext/releases/tag/v0.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dail8859/NotepadNext/releases/tag/v0.14"
}
],
"source": {
"advisory": "GHSA-m5fq-c9x5-w54g",
"discovery": "UNKNOWN"
},
"title": "Improper Control of Generation of Code (\u0027Code Injection\u0027) in dail8859/NotepadNext"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42214",
"datePublished": "2026-05-07T18:14:20.246Z",
"dateReserved": "2026-04-25T05:04:37.028Z",
"dateUpdated": "2026-05-09T03:55:59.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}