CVE-2026-42214 HIGH

CVE-2026-42214: Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext

Vendor Dail8859
Product NotepadNext
Weakness CWE-94 · Code injection
Published May 7, 2026
Last update May 9, 2026

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.

Key dates

02Disclosure timeline

May 7, 2026 CVE published
May 9, 2026 Record updated