← volver
CVE-2026-42214

Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext

CVSS 7.8 HIGHEPSS 0.2%CWE-94
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 7.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
07 may 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Productos afectados
dail8859 · NotepadNext