Medium severity4.4NVD Advisory· Published Apr 30, 2026· Updated May 1, 2026
CVE-2026-6539
CVE-2026-6539
Description
Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:notepad-plus-plus:notepad\+\+:8.9.3:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:notepad-plus-plus:notepad\+\+:8.9.3:*:*:*:*:*:*:*
- (no CPE)range: =8.9.3
Patches
Vulnerability mechanics
References
2- www.vulncheck.com/advisories/notepad-format-string-injection-via-nativelang-xmlnvdThird Party Advisory
- notepad-plus-plus.org/news/v894-released/nvdRelease Notes
News mentions
0No linked articles in our index yet.