—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Notepad++

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: MEDIUM

Software Affected

Notepad++ version prior to 8.9.4

Overview

Multiple vulnerabilities have been reported in Notepad++, which could be exploited by an attacker to obtain sensitive memory address information or cause the application to crash.

Target Audience:

All organizations and individuals using Notepad++.

Risk Assessment:

Critical risk due to the possibility of unauthenticated remote code execution.

Impact Assessment:

Remote code execution, unauthorized access, and data manipulation.

Description

Notepad++ is a free, open-source text and source code editor for Windows, widely used by developers and IT professionals.

These vulnerabilities exist due to a format string injection flaw in the FindInFiles/Find Results functionality of Notepad++, caused by improper handling of ‘%s’ format specifiers in the nativeLang.xml configuration file. An attacker could exploit these vulnerabilities by using a specially crafted nativeLang.xml language configuration file and triggering search operations in the affected application.

Successful exploitation could allow an attacker to obtain sensitive memory address information or cause the application to crash.

Solution

Apply appropriate security updates as mentioned in Notepad++ Security Updates:

https://notepad-plus-plus.org/news/v894-released/

https://cybersecuritynews.com/notepad-vulnerability-crash/

Vendor Information

 

https://cybersecuritynews.com/notepad-vulnerability-crash/

https://notepad-plus-plus.org/news/v894-released/

References

 

https://notepad-plus-plus.org/news/v894-released/

https://cybersecuritynews.com/notepad-vulnerability-crash/

CVE Name

CVE-2026-3008

CVE-2026-6539

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmn8pdUACgkQ3jCgcSdc

ys/5rA/+PxMlyr/jKJ7VeECHHd2j8wLBnqLL/RyRdnp2Ggqc64SOo+gX5IOoHdHZ

Lw6bbAabACEmRFlf6cdcaQJ+dAgcteuDwzTanN6dhpso4LdPKmAC1PH0pPMWJMTu

AobYpYr5wqTUkSOatVXFyH2kHJAEL8JX7tdJ0pXsZyvowpYn7conAG7EDCJ1e5Qy

9veTjnyPAtAQFDeghz99UsswPZxadpyC7WUZOzt+dKWbcDGekzuKrCOmbQCPZTpN

DgqO6CvNLQ3VT4WdlxB/rpW+zBQoThPK0IyBrw/dvhS/pt/+OGH9YnxhnjGXz4E+

4BxcpKglBOPbfZYSdhcuj2WPb5z7WH0eJ1Rc5TLGB0I98hT4Cxtixf/3ofFu7hWQ

7J3I4LqvOAisBE0+LU9lFreeDHJ9SYIfWj3JhgzRjqq2Bc1yCyMOQpf50wy38UrO

qY2BNzU4Lj1zi2h1GcO09TddqfNO6hzAIXinsYCiTHxLmkJ09r753FnlL5S+hPKa

xHQlnsGjoI+jp+ud7xX6dwTmC+oDyYbPvauOuNuSGUW47j72psPD4fwHnufvqpr8

JrXPo5Z24DS5UO2qPyx9BOG+XPUAWQfANXegy870DdcVhSAn8MHLP0nDimyZvysl

e8iM/Rsl8Tuy3HhgXzWQv/oSEJfgQr8dntTOyUoI6ZJozYU3JwY=

=sq1Q

—–END PGP SIGNATURE—–