Format String Injection Vulnerability in Notepad++ by Notepad++
CVE-2026-6539

4.6MEDIUM

Key Information:

Vendor: Notepad++
Status: Notepad++
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-6539?

The format string injection vulnerability in Notepad++ 8.9.3 allows attackers to exploit the Find Results panel handler by utilizing a malicious nativeLang.xml language pack file. This crafted file can be disseminated through various community channels, leading to format string interpretation during search operations. As a result, users may experience denial of service due to access violations, and sensitive information such as stack or register contents may be disclosed.

Affected Version(s)

Notepad++ Windows 0 < 8.9.4

References

https://notepad-plus-plus.org/news/v894-released/

patch

https://www.vulncheck.com/advisories/notepad-format-strin...

third-party-advisory

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

Hazley Samsudin

CVE-2026-6539 Data

JSON