The vulnerability is a format string injection in the Find Results panel handler of Notepad++ 8.9.3. By supplying a crafted nativeLang.xml language‑pack file, an attacker can cause the application to interpret format string directives during search operations, leading to access violations, stack or register memory leaks, and user‑visible denial of service. The primary impact is therefore interruption of application availability and potential exposure of sensitive data that resides in memory at the time of exploitation. The weakness is identified as CWE‑134, a classic format string injection flaw.

Notepad++ version 8.9.3. Users who have installed or enabled custom language‑pack files, specifically nativeLang.xml, are affected. No other Notepad++ versions or editions are known to be vulnerable. The impact is confined to systems running this exact build and that have loaded the malicious language‑pack.

The CVSS score is 4.6, indicating moderate risk. EPSS data is not available, suggesting a low or unknown exploitation probability at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to involve users acquiring and installing a poisoned language‑pack file from community channels such as forum or plugin sites; the exploitation then occurs when a search operation is performed, triggering the injected format string. Because the attack requires user action to load the malicious file, the vulnerability is most useful against motivated threat actors who can distribute or embed the language‑pack in phishing or social engineering campaigns.