Primary

Context

Notepad++ Format String Injection Vulnerability in nativeLang.xml Language Pack Allowing Denial-of-Service and Information Disclosure

Vulnerability

Patched

A format string injection vulnerability has been identified in Notepad++ version 8.9.3. This issue arises in the Find Results panel handler, where attackers can craft a malicious nativeLang.xml language pack file. When this poisoned language pack is used, it triggers format string interpretation during search operations, leading to access violations and potential leakage of stack or register contents. The vulnerability allows for denial-of-service conditions and unauthorized information disclosure.

Impact

Exploitation of this vulnerability causes a denial-of-service condition and allows for unauthorized information disclosure, such as leaking stack or register contents.

Remediation

Users can upgrade to Notepad++ version 8.9.4, which addresses this vulnerability.

Added: Apr 30, 2026, 9:21 PM

Updated: Apr 30, 2026, 9:21 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.1

exploitability

4.2

remediation

7.7

relevance

7.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.1

exploitability

4.2

remediation

7.7

relevance

7.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Notepad++ Format String Injection Vulnerability in nativeLang.xml Language Pack Allowing Denial-of-Service and Information Disclosure

Vulnerability

Impact

Remediation

Affected Products

Notepad++

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating