NotepadNext CVE-2026-42214: Arbitrary Command Execution via Malicious Extensions

/HIGH /CVSS 7.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-94
NotepadNext CVE-2026-42214: Arbitrary Command Execution via Malicious Extensions

A critical vulnerability, tracked as CVE-2026-42214, has been identified in NotepadNext, a cross-platform re-implementation of Notepad++. Prior to version 0.14, the application’s detectLanguageFromExtension() function fails to sanitize file extensions before interpolating them directly into a Lua script. This oversight creates a significant security hole, allowing attackers to craft filenames with embedded Lua code that executes automatically when a victim opens the file in NotepadNext.

According to the National Vulnerability Database, the issue is exacerbated by NotepadNext’s unconditional call to luaL_openlibs(). This action makes the full os, io, and package libraries available to the injected code, granting arbitrary command execution capabilities to an attacker. The National Vulnerability Database assigns this vulnerability a CVSS score of 7.8 (HIGH), underscoring its severe impact on confidentiality, integrity, and availability.

This vulnerability has been patched in NotepadNext version 0.14. Defenders must recognize that the attacker’s calculus here is straightforward: social engineering a user into opening a seemingly innocuous file. The ease of exploitation, coupled with the high impact of arbitrary code execution, makes this a prime target for initial access. This isn’t just about data theft; it’s about full system compromise.

What This Means For You

  • If your organization's users operate NotepadNext, you need to verify they are running version 0.14 or later immediately. An unpatched instance represents a direct path to arbitrary command execution on user workstations, potentially leading to broader network compromise. Patching is non-negotiable here.

Indicators of Compromise

IDTypeIndicator
CVE-2026-42214 Vulnerability CVE-2026-42214

Written by SCW Vulnerability Desk

🔎
Check Latest Vulnerability Briefs Use /brief to get an analyst-ready weekly threat summary with severity rankings and key IOCs.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8098: SQL Injection in code-projects Feedback System 1.0

CVE-2026-8098 — A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8097 — CodeAstro Online Classroom SQL Injection

CVE-2026-8097 — A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks

CVE-2026-42449 — n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 5 IOCs /⚙ 4 Sigma