7.8
CVE-2026-42214
- EPSS 0.24%
- Veröffentlicht 07.05.2026 18:14:20
- Zuletzt bearbeitet 12.05.2026 20:24:32
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginImproper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext
Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Dail8859 ≫ Notepad Next Version < 0.14
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.151 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g
https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc
https://github.com/dail8859/NotepadNext/releases/tag/v0.14