Vendor
Notepad Plus Plus
Products
2
CVEs
11
Across products
11
Status
Private
Products
2- 10 CVEs
- 1 CVE
Recent CVEs
11| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-56383 | Hig | 0.55 | 8.4 | 0.00 | Sep 26, 2025 | Notepad++ v8.8.3 has a DLL hijacking vulnerability, which can replace the original DLL file to execute malicious code. NOTE: this is disputed by multiple parties because the behavior only occurs when a user installs the product into a directory tree that allows write access by arbitrary unprivileged users. | |
| CVE-2026-3008 | Med | 0.43 | 6.6 | 0.00 | Apr 27, 2026 | Successful exploitation of the string injection vulnerability could allow an attacker to obtain memory address information or crash the application. | |
| CVE-2026-5525 | Med | 0.39 | 6.0 | 0.00 | Apr 10, 2026 | A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checking, resulting in a stack buffer overflow and application crash (STATUS_STACK_BUFFER_OVERRUN). | |
| CVE-2026-6539 | Med | 0.29 | 4.4 | 0.00 | Apr 30, 2026 | Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents. | |
| CVE-2025-15556 | 0.12 | — | 0.06 | KEV | Feb 3, 2026 | Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user. | |
| CVE-2026-25926 | 0.00 | — | 0.00 | Feb 18, 2026 | Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application. Version 8.9.2 patches the issue. | ||
| CVE-2023-40166 | 0.00 | — | 0.00 | Aug 25, 2023 | Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer read overflow in `FileManager::detectLanguageFromTextBegining `. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++. | ||
| CVE-2023-40164 | 0.00 | — | 0.00 | Aug 25, 2023 | Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in `nsCodingStateMachine::NextStater`. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++. | ||
| CVE-2023-40036 | 0.00 | — | 0.00 | Aug 25, 2023 | Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in `CharDistributionAnalysis::HandleOneChar`. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++. | ||
| CVE-2023-40031 | 0.00 | — | 0.00 | Aug 25, 2023 | Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer write overflow in `Utf8_16_Read::convert`. This issue may lead to arbitrary code execution. As of time of publication, no known patches are available in existing versions of Notepad++. | ||
| CVE-2022-32168 | 0.00 | — | 0.00 | Sep 28, 2022 | Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context of Notepad++. |