CVE-2026-42214
Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext
CVSS Score
7.8
EPSS Score
0.0%
EPSS Percentile
0th
Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
| CWE | CWE-94 |
| Vendor | dail8859 |
| Product | notepadnext |
| Published | May 7, 2026 |
| Last Updated | May 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for dail8859 notepadnext
Be the first to know when new high vulnerabilities affecting dail8859 notepadnext are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
dail8859 / NotepadNext
< 0.14