Arbitrary Command Execution in NotepadNext Prior to Version 0.14
CVE-2026-42214

7.8HIGH

Key Information:

Vendor

Dail8859

Status
Notepadnext
Vendor
CVE Published:
7 May 2026

What is CVE-2026-42214?

NotepadNext, a cross-platform reimplementation of Notepad++, has a vulnerability that allows attackers to execute arbitrary commands. In versions prior to 0.14, the function detectLanguageFromExtension() interpolates a file's extension into a Lua script without proper sanitization. This flaw permits attackers to create specially crafted filenames with malicious Lua code that executes upon file opening in NotepadNext. The vulnerability grants full access to Lua's os, io, and package libraries, which can be exploited for arbitrary command execution. The issue has been resolved in version 0.14.

Affected Version(s)

NotepadNext < 0.14

References

https://github.com/dail8859/NotepadNext/security/advisori...
x_refsource_CONFIRM
https://github.com/dail8859/NotepadNext/commit/f3ca1b10ac...
x_refsource_MISC
https://github.com/dail8859/NotepadNext/releases/tag/v0.14
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.