CVE-2026-42214

Source
https://cve.org/CVERecord?id=CVE-2026-42214
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42214.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42214
Aliases
  • GHSA-m5fq-c9x5-w54g
Published
2026-05-07T18:14:20.246Z
Modified
2026-07-15T17:43:43.170724Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext
Details

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42214.json",
    "cwe_ids": [
        "CWE-94"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/dail8859/notepadnext

Affected ranges

Type
GIT
Repo
https://github.com/dail8859/notepadnext
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:dail8859:notepad_next:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.14"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.1
v0.10
v0.11
v0.12
v0.13
v0.2
v0.3
v0.3.1
v0.3.2
v0.3.3
v0.4
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.5
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.6
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.7
v0.8
v0.9

Database specific

vanir_signatures
[
    {
        "id": "CVE-2026-42214-04d13bab",
        "signature_type": "Line",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "file": "src/LuaState.cpp"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "138802058061476443278787849427448058694",
                "175415135317334336083455012004015384585",
                "220414321791627074601727806351120472693",
                "59100952895690828830541582260488773465",
                "258031075993636895132267882342139202857",
                "237584566311416248723487145588578429105",
                "164617372603088613173906027067331573902",
                "187638334541224879499712305820114591603"
            ]
        }
    },
    {
        "id": "CVE-2026-42214-06ec7f01",
        "signature_type": "Function",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "function": "LuaState::executeAndReturn",
            "file": "src/LuaState.h"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "278384452406572813913479568699362296963",
            "length": 297.0
        }
    },
    {
        "id": "CVE-2026-42214-43f4e62e",
        "signature_type": "Line",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "file": "src/LuaState.h"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "98407155446569127464717696212149624298",
                "278813501015606356332772264079729074940",
                "110130989803064336552445533642964840608",
                "85293720348142264136453172883532542636",
                "28327739299598594559664035382073049364",
                "325580452133084132031132236934456628912",
                "44118655598628252869165870009548304460",
                "32917554132038487641507384199011782372",
                "182509934177665497511771408822690669691",
                "269148519591321019820463710218766533897",
                "49544593069211707057082026266070110149",
                "142448093913070343687947995222082786097",
                "268938167956047174084367247973030205652",
                "173597319639728290300721260803454872357",
                "154730069710704756254503340627201496104",
                "134579392615152434115133663729101047996",
                "235306426835975362026081334781515274311",
                "302143955422347521505704033969117598204",
                "163594068300777649847565587428922102510",
                "233533364035612545594550057021288557959",
                "58555472332680051777523447229985137494",
                "105873573984877285967457362665133409114",
                "322388555541061917211545092460592874419",
                "270838108146273626108532425576456650816",
                "206143451134003374977836233891719878692",
                "228406313443472722522303244967671361699",
                "44901635326800917896002637476447973991",
                "309708534209091964082786744501803248569",
                "326916451317507898945054456041087699920",
                "115377745278643926325066855058096904527",
                "23302466891729525568100898311043560726",
                "210374346235899047967438559683529579162",
                "18371524364574784614235163628718544308",
                "293873189548732248974503518369842230213",
                "23732720687373957357731114394197999342"
            ]
        }
    },
    {
        "id": "CVE-2026-42214-44752c2d",
        "signature_type": "Function",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "function": "NotepadNextApplication::detectLanguageFromContents",
            "file": "src/NotepadNextApplication.cpp"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "318111221392580164793327393944469114392",
            "length": 484.0
        }
    },
    {
        "id": "CVE-2026-42214-5ce78ae1",
        "signature_type": "Function",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "function": "LuaState::executeAndReturn",
            "file": "src/LuaState.h"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "232688490001681916499554031221861644824",
            "length": 214.0
        }
    },
    {
        "id": "CVE-2026-42214-8753e7df",
        "signature_type": "Function",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "function": "NotepadNextApplication::detectLanguageFromExtension",
            "file": "src/NotepadNextApplication.cpp"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "37896125608251213115593881505072700482",
            "length": 527.0
        }
    },
    {
        "id": "CVE-2026-42214-9e6c71a2",
        "signature_type": "Function",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "function": "NotepadNextApplication::getFileDialogFilterForLanguage",
            "file": "src/NotepadNextApplication.cpp"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "307574637040017441047650927651413303184",
            "length": 244.0
        }
    },
    {
        "id": "CVE-2026-42214-a2bd6f7b",
        "signature_type": "Function",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "function": "LuaState::executeFile",
            "file": "src/LuaState.cpp"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "20852210011443577896568674058291064097",
            "length": 272.0
        }
    },
    {
        "id": "CVE-2026-42214-a84aafe4",
        "signature_type": "Function",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "function": "LuaState::executeAndReturn",
            "file": "src/LuaState.h"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "337949213693754003382358223221684508558",
            "length": 215.0
        }
    },
    {
        "id": "CVE-2026-42214-b15eba87",
        "signature_type": "Function",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "function": "NotepadNextApplication::setEditorLanguage",
            "file": "src/NotepadNextApplication.cpp"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "75772135435540555699795923793661978454",
            "length": 1206.0
        }
    },
    {
        "id": "CVE-2026-42214-f4f26bfb",
        "signature_type": "Function",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "function": "LuaState::execute",
            "file": "src/LuaState.cpp"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "116988486862519272601198894389565010955",
            "length": 472.0
        }
    },
    {
        "id": "CVE-2026-42214-f89489fd",
        "signature_type": "Line",
        "source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
        "signature_version": "v1",
        "target": {
            "file": "src/NotepadNextApplication.cpp"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "159514146354964866758733404807098703484",
                "88540750935803255505216947247146343590",
                "134882200962840793835984483433769951350",
                "151424348322476330378260111591397408300",
                "5912212728257441712161429099750387959",
                "252547486008793221397518887165441809247",
                "33739817178907059118179565545261241814",
                "274591313994691347642594390402153946835",
                "53281620691175540460534856400213941782",
                "298722541942490786691728351675751251419",
                "287793142889164977855936307279147444076",
                "219852586942829105752350807814728082512",
                "146084621919606221296088463329692551909",
                "78713617845724609337449000922720538509",
                "264933594689023930095849161089495627261",
                "71645423553311942348563934012489415048",
                "139862993513195146014992012821675032873",
                "108754364590688213841810314442523227788",
                "127379450238396389953990965900742403932",
                "246066870291839992200006096684863271127",
                "281581681280483937135842986792064429382",
                "330550847343729872817686865819268870822",
                "254405246100211359085162737288934825181",
                "211429485861280660535156861797265877799",
                "111454635380904378119316172616199523248"
            ]
        }
    }
]
vanir_signatures_modified
"2026-07-15T17:43:43Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42214.json"