CVE-2026-6539
published 2026-04-30CVE-2026-6539: Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and…
PriorityP417medium4.4CVSS 3.1
AVLACLPRNUIRSUCLINAL
EPSS
0.19%
8.9th percentile
Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| notepad-plus-plus | notepad | — | — |
| notepad | notepad | < 8.9.4 | 8.9.4 |
CVSS provenance
nvdv3.14.4MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
nvdv4.04.6MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vfqp-r766-g759: Notepad++ 8
ghsa_unreviewed·2026-04-30
CVE-2026-6539 [MEDIUM] CWE-134 GHSA-vfqp-r766-g759: Notepad++ 8
Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents.
VulDB
Notepad++ up to 8.9.3 Find Results Panel format string
vuldb·2026-04-30·CVSS 4.6
CVE-2026-6539 [MEDIUM] Notepad++ up to 8.9.3 Find Results Panel format string
A vulnerability has been found in Notepad++ up to 8.9.3 and classified as critical. The affected element is an unknown function of the component Find Results Panel. The manipulation leads to format string.
This vulnerability is uniquely identified as CVE-2026-6539. Local access is required to approach this attack. No exploit exists.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-30
Published