Vulnerability Details CVE-2026-42214
Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.9%
CVSS Severity
CVSS v3 Score 7.8
References
- https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc
- https://github.com/dail8859/NotepadNext/releases/tag/v0.14
- https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g
- https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g
Products affected by CVE-2026-42214
-
cpe:2.3:a:dail8859:notepad_next:0.1
-
cpe:2.3:a:dail8859:notepad_next:0.10
-
cpe:2.3:a:dail8859:notepad_next:0.11
-
cpe:2.3:a:dail8859:notepad_next:0.12
-
cpe:2.3:a:dail8859:notepad_next:0.13
-
cpe:2.3:a:dail8859:notepad_next:0.2
-
cpe:2.3:a:dail8859:notepad_next:0.3
-
cpe:2.3:a:dail8859:notepad_next:0.3.1
-
cpe:2.3:a:dail8859:notepad_next:0.3.2
-
cpe:2.3:a:dail8859:notepad_next:0.3.3
-
cpe:2.3:a:dail8859:notepad_next:0.4
-
cpe:2.3:a:dail8859:notepad_next:0.4.1
-
cpe:2.3:a:dail8859:notepad_next:0.4.2
-
cpe:2.3:a:dail8859:notepad_next:0.4.3
-
cpe:2.3:a:dail8859:notepad_next:0.4.4
-
cpe:2.3:a:dail8859:notepad_next:0.4.5
-
cpe:2.3:a:dail8859:notepad_next:0.4.6
-
cpe:2.3:a:dail8859:notepad_next:0.4.7
-
cpe:2.3:a:dail8859:notepad_next:0.4.8
-
cpe:2.3:a:dail8859:notepad_next:0.4.9
-
cpe:2.3:a:dail8859:notepad_next:0.5
-
cpe:2.3:a:dail8859:notepad_next:0.5.1
-
cpe:2.3:a:dail8859:notepad_next:0.5.2
-
cpe:2.3:a:dail8859:notepad_next:0.5.3
-
cpe:2.3:a:dail8859:notepad_next:0.5.4
-
cpe:2.3:a:dail8859:notepad_next:0.5.5
-
cpe:2.3:a:dail8859:notepad_next:0.5.6
-
cpe:2.3:a:dail8859:notepad_next:0.6
-
cpe:2.3:a:dail8859:notepad_next:0.6.1
-
cpe:2.3:a:dail8859:notepad_next:0.6.2
-
cpe:2.3:a:dail8859:notepad_next:0.6.3
-
cpe:2.3:a:dail8859:notepad_next:0.6.4
-
cpe:2.3:a:dail8859:notepad_next:0.7
-
cpe:2.3:a:dail8859:notepad_next:0.8
-
cpe:2.3:a:dail8859:notepad_next:0.9