CVE-2026-3008 - Vulnerability Details

Description

Successful exploitation of the
string injection vulnerability could allow an attacker to obtain memory address
information or crash the application.

Published: 2026-04-27

Score: 6.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a string injection flaw that permits an attacker to supply crafted strings that are treated as format specifiers. Successful exploitation can reveal memory address information, potentially facilitating further attacks, or cause the application to crash. The primary impact is a compromise of confidential memory data and a loss of application availability.

Affected Systems

Notepad++ is affected. Versions prior to the 8.9.4 release are vulnerable; the remediation advises updating to Notepad++ 8.9.4 or later.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate risk, and the EPSS score of < 1% shows a very low likelihood of exploitation in the wild. The attack does not appear to be listed in the CISA KEV catalog. Based on the description, the likely attack vector is local input manipulation, but it could also be triggered remotely if a trusted user can influence a string that is processed by the application. Further details on the attack path are not provided in the supplied data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Notepad++

unaffected

Version	Status	Constraints
`8.9.3`	affected	—

No data.

Vendor Product Confidence Versions

Notepad++

100%

Version	Status	Scheme	Platform
`8.9.3`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Users and administrators of the affected product version are advised to update to the latest version 8.9.4 immediately.

OpenCVE Recommended Actions

Update Notepad++ to version 8.9.4 or later, which contains the fix for the string injection flaw.
If an immediate upgrade is not feasible, restrict the use of Notepad++ to non-sensitive contexts and monitor for unexpected crashes that may indicate exploitation attempts.
Implement logging or alerts for sudden application terminations to detect potential exploitation in real time.

Generated by OpenCVE AI on April 28, 2026 at 04:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://community.notepad-plus-plus.org/topic/27500/notepad-v8-9-4-release-candidate
https://github.com/llgsjsm/cve-2026-3008
https://github.com/notepad-plus-plus/notepad-plus-plus/issues/17960
https://llgsjsm.github.io/cve-2026-3008/
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-044/

History

Mon, 27 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Notepad++ Notepad++ notepad++
Vendors & Products		Notepad++ Notepad++ notepad++

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-134
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV4_0 `{'score': 10.0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Mon, 27 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV4_0 `{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`	cvssV3_1 `{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}` cvssV4_0 `{'score': 10.0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Mon, 27 Apr 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		Successful exploitation of the string injection vulnerability could allow an attacker to obtain memory address information or crash the application.
Title		Vulnerability in Notepad++
References		https://community.notepad-plus-plus.org/topic/27500/notepad-v8-9-4-release-candidate https://github.com/llgsjsm/cve-2026-3008 https://github.com/notepad-plus-plus/notepad-plus-plus/issues/17960 https://llgsjsm.github.io/cve-2026-3008/ https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-044/
Metrics		cvssV4_0 `{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

Subscriptions

Notepad++ Notepad++

MITRE

Status: PUBLISHED

Assigner: CSA

Published: 2026-04-27T06:04:22.186Z

Updated: 2026-04-27T13:29:42.232Z

Reserved: 2026-02-23T05:15:46.334Z

Link: CVE-2026-3008

Vulnrichment

Updated: 2026-04-27T13:09:37.529Z

NVD

Status : Awaiting Analysis

Published: 2026-04-27T07:16:03.597

Modified: 2026-04-27T18:57:20.293

Link: CVE-2026-3008

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T05:00:14Z

Weaknesses

CWE-134
Use of Externally-Controlled Format String

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object