Description
Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
Published: 2026-05-07
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NotepadNext’s detectLanguageFromExtension() function inserts the file’s extension directly into a Lua script without any validation. A specially crafted filename with malicious Lua code in its extension will have that code executed automatically when the user opens the file. Because luaL_openlibs() is called unconditionally, the Lua environment includes the full os, io, and package libraries, providing the attacker complete command‑execution capability within the context of the user's account. This vulnerable pathway allows the attacker to execute arbitrary Lua code, effectively enabling arbitrary command execution.

Affected Systems

The vulnerability exists in all releases of NotepadNext from the dail8859 project before version 0.14. Users who deploy the open‑source editor from GitHub without upgrading to the v0.14 release or later are susceptible to exploitation.

Risk and Exploitability

The CVSS score of 7.8 indicates a high risk. The EPSS score is not available, and the flaw is not catalogued in CISA KEV. Attackers must supply a file with a malicious extension and compel a victim to open it—likely through phishing, malicious downloads, or a supply‑chain vector. When executed, the injected Lua code runs with full standard‑library access, enabling the attacker to run any system command. Given its CVSS of 7.8 and ability to execute arbitrary commands, the vulnerability poses significant risk.

Generated by OpenCVE AI on May 7, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NotepadNext to version 0.14 or later, which sanitizes file extensions and eliminates the vulnerable code path.
  • If an upgrade cannot be performed immediately, restrict NotepadNext from opening files with unknown or custom extensions by configuring operating‑system file‑type policies or disabling the option to open arbitrary files through local group policies.
  • Deploy monitoring for unexpected Lua script activity or command shell launches, and investigate any suspicious events promptly.

Generated by OpenCVE AI on May 7, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Dail8859
Dail8859 notepadnext
Vendors & Products Dail8859
Dail8859 notepadnext

Thu, 07 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
Title Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Dail8859 Notepadnext
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T19:00:57.276Z

Reserved: 2026-04-25T05:04:37.028Z

Link: CVE-2026-42214

cve-icon Vulnrichment

Updated: 2026-05-07T19:00:53.424Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T19:16:01.497

Modified: 2026-05-07T20:16:43.850

Link: CVE-2026-42214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:30:25Z

Weaknesses