216.73.216.197

CVE-2026-42214

· Published 07/05/2026 19:16 · Modified 07/05/2026 20:16

Labels: CVE-2026-42214 2026-05-07CVE-2026-42214CWE-94[email protected]

Essential information

Published
07/05/2026 19:16
Modified
07/05/2026 20:16
Author
Creator
CVSS
7.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS metrics

Description

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.

NVD status

Status
Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
notepad next / notepad next cpe:2.3:a:notepad_next:notepad_next:*:*:*:*:*:*:*:*

References