โ† Back to Dashboard

CVE-2026-42214

HIGH NVD
CVSS Score
7.8
Severity
HIGH
Source
NVD
Published
May 07, 2026
Description

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.

View Full Details โ† Back