Improper Control of Generation of Code (‘Code Injection’) in dail8859/NotepadNext

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.

Basic Information

ID CVE-2026-42214

Source GitHub_M

Published May 7, 2026 at 18:14

Modified May 7, 2026 at 19:00

Affected Product

Vendor dail8859

Product NotepadNext

Version < 0.14

Affected Versions dail8859 NotepadNext < 0.14

CWE Classification

CWE-94

References

{
    "lastseen": "",
    "description": "Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.",
    "published": "2026-05-07T18:14:20.246Z",
    "modified": "2026-05-07T19:00:57.276Z",
    "type": "cve",
    "title": "Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext",
    "source": "GitHub_M",
    "references": "https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g\nhttps://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc\nhttps://github.com/dail8859/NotepadNext/releases/tag/v0.14",
    "id": "CVE-2026-42214",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "dail8859 NotepadNext < 0.14",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "NotepadNext",
    "version": "< 0.14",
    "vendor": "dail8859",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Improper Control of Generation of Code (‘Code Injection’) in dail8859/NotepadNext_CVE-2026-42214