CVE-2026-6539 PUBLISHED

Notepad++ 8.9.3 Format String Injection via nativeLang.xml

Assigner: VulnCheck
Reserved: 17.04.2026 Published: 30.04.2026 Updated: 30.04.2026

Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents.

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 4.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	None
User Interaction	Active

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
CVSS Score: 4.4

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Notepad++
Product	Notepad++
Versions	Default: unaffected affected from 0 to 8.9.4 (excl.)

CVE-2026-6539 PUBLISHED

Notepad++ 8.9.3 Format String Injection via nativeLang.xml

Metrics

Product Status

Credits

References

Problem Types