VYPR
Vendor

Notepad Plus Plus

Products
1
CVEs
20
Across products
20
Status
Private

Products

1

Recent CVEs

20
  • CVE-2025-56383HigSep 26, 2025
    risk 0.55cvss 8.4epss 0.00

    Notepad++ v8.8.3 has a DLL hijacking vulnerability, which can replace the original DLL file to execute malicious code. NOTE: this is disputed by multiple parties because the behavior only occurs when a user installs the product into a directory tree that allows write access by…

  • CVE-2026-3008MedApr 27, 2026
    risk 0.43cvss 6.6epss 0.00

    Successful exploitation of the string injection vulnerability could allow an attacker to obtain memory address information or crash the application.

  • CVE-2025-49144HigJun 23, 2025
    risk 0.40cvss 7.3epss 0.00

    Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker…

  • CVE-2026-5525MedApr 10, 2026
    risk 0.32cvss 6.0epss 0.00

    A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without…

  • CVE-2026-6539MedApr 30, 2026
    risk 0.29cvss 4.4epss 0.00

    Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language…

  • CVE-2025-15556KEVFeb 3, 2026
    risk 0.12cvss epss 0.01

    Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the…

  • CVE-2014-9456Jan 2, 2015
    risk 0.04cvss epss 0.11

    Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Event element in an XML file. NOTE: this issue was originally incorrectly mapped to CVE-2014-1004; see CVE-2014-1004 for more information.

  • CVE-2007-2666May 14, 2007
    risk 0.04cvss epss 0.15

    Stack-based buffer overflow in LexRuby.cxx (SciLexer.dll) in Scintilla 1.73, as used by notepad++ 4.1.1 and earlier, allows user-assisted remote attackers to execute arbitrary code via certain Ruby (.rb) files with long lines. NOTE: this was originally reported as a…

  • CVE-2026-25926Feb 18, 2026
    risk 0.00cvss epss 0.00

    Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an attacker can…

  • CVE-2023-6401Nov 30, 2023
    risk 0.00cvss epss 0.00

    A vulnerability classified as problematic was found in NotePad++ up to 8.1. Affected by this vulnerability is an unknown functionality of the file dbghelp.exe. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The identifier VDB-246421…

  • CVE-2023-47452Nov 30, 2023
    risk 0.00cvss epss 0.01

    An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory.

  • CVE-2023-40166Aug 25, 2023
    risk 0.00cvss epss 0.00

    Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer read overflow in `FileManager::detectLanguageFromTextBegining `. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory…

  • CVE-2023-40164Aug 25, 2023
    risk 0.00cvss epss 0.01

    Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in `nsCodingStateMachine::NextStater`. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation…

  • CVE-2023-40036Aug 25, 2023
    risk 0.00cvss epss 0.00

    Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in `CharDistributionAnalysis::HandleOneChar`. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory…

  • CVE-2023-40031Aug 25, 2023
    risk 0.00cvss epss 0.00

    Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer write overflow in `Utf8_16_Read::convert`. This issue may lead to arbitrary code execution. As of time of publication, no known patches are available in existing…

  • CVE-2022-31902Feb 1, 2023
    risk 0.00cvss epss 0.01

    Notepad++ v8.4.1 was discovered to contain a stack overflow via the component Finder::add().

  • CVE-2022-31901Jan 19, 2023
    risk 0.00cvss epss 0.01

    Buffer overflow in function Notepad_plus::addHotSpot in Notepad++ v8.4.3 and earlier allows attackers to crash the application via two crafted files.

  • CVE-2022-32168Sep 28, 2022
    risk 0.00cvss epss 0.01

    Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context of Notepad++.

  • CVE-2019-16294Sep 14, 2019
    risk 0.00cvss epss 0.10

    SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

  • CVE-2008-3436Aug 1, 2008
    risk 0.00cvss epss 0.02

    The GUP generic update process in Notepad++ before 4.8.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.