Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42214.json",
"cwe_ids": [
"CWE-94"
],
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:dail8859:notepad_next:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "0.14"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}[
{
"id": "CVE-2026-42214-04d13bab",
"signature_type": "Line",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"file": "src/LuaState.cpp"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"138802058061476443278787849427448058694",
"175415135317334336083455012004015384585",
"220414321791627074601727806351120472693",
"59100952895690828830541582260488773465",
"258031075993636895132267882342139202857",
"237584566311416248723487145588578429105",
"164617372603088613173906027067331573902",
"187638334541224879499712305820114591603"
]
}
},
{
"id": "CVE-2026-42214-06ec7f01",
"signature_type": "Function",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"function": "LuaState::executeAndReturn",
"file": "src/LuaState.h"
},
"deprecated": false,
"digest": {
"function_hash": "278384452406572813913479568699362296963",
"length": 297.0
}
},
{
"id": "CVE-2026-42214-43f4e62e",
"signature_type": "Line",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"file": "src/LuaState.h"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"98407155446569127464717696212149624298",
"278813501015606356332772264079729074940",
"110130989803064336552445533642964840608",
"85293720348142264136453172883532542636",
"28327739299598594559664035382073049364",
"325580452133084132031132236934456628912",
"44118655598628252869165870009548304460",
"32917554132038487641507384199011782372",
"182509934177665497511771408822690669691",
"269148519591321019820463710218766533897",
"49544593069211707057082026266070110149",
"142448093913070343687947995222082786097",
"268938167956047174084367247973030205652",
"173597319639728290300721260803454872357",
"154730069710704756254503340627201496104",
"134579392615152434115133663729101047996",
"235306426835975362026081334781515274311",
"302143955422347521505704033969117598204",
"163594068300777649847565587428922102510",
"233533364035612545594550057021288557959",
"58555472332680051777523447229985137494",
"105873573984877285967457362665133409114",
"322388555541061917211545092460592874419",
"270838108146273626108532425576456650816",
"206143451134003374977836233891719878692",
"228406313443472722522303244967671361699",
"44901635326800917896002637476447973991",
"309708534209091964082786744501803248569",
"326916451317507898945054456041087699920",
"115377745278643926325066855058096904527",
"23302466891729525568100898311043560726",
"210374346235899047967438559683529579162",
"18371524364574784614235163628718544308",
"293873189548732248974503518369842230213",
"23732720687373957357731114394197999342"
]
}
},
{
"id": "CVE-2026-42214-44752c2d",
"signature_type": "Function",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"function": "NotepadNextApplication::detectLanguageFromContents",
"file": "src/NotepadNextApplication.cpp"
},
"deprecated": false,
"digest": {
"function_hash": "318111221392580164793327393944469114392",
"length": 484.0
}
},
{
"id": "CVE-2026-42214-5ce78ae1",
"signature_type": "Function",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"function": "LuaState::executeAndReturn",
"file": "src/LuaState.h"
},
"deprecated": false,
"digest": {
"function_hash": "232688490001681916499554031221861644824",
"length": 214.0
}
},
{
"id": "CVE-2026-42214-8753e7df",
"signature_type": "Function",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"function": "NotepadNextApplication::detectLanguageFromExtension",
"file": "src/NotepadNextApplication.cpp"
},
"deprecated": false,
"digest": {
"function_hash": "37896125608251213115593881505072700482",
"length": 527.0
}
},
{
"id": "CVE-2026-42214-9e6c71a2",
"signature_type": "Function",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"function": "NotepadNextApplication::getFileDialogFilterForLanguage",
"file": "src/NotepadNextApplication.cpp"
},
"deprecated": false,
"digest": {
"function_hash": "307574637040017441047650927651413303184",
"length": 244.0
}
},
{
"id": "CVE-2026-42214-a2bd6f7b",
"signature_type": "Function",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"function": "LuaState::executeFile",
"file": "src/LuaState.cpp"
},
"deprecated": false,
"digest": {
"function_hash": "20852210011443577896568674058291064097",
"length": 272.0
}
},
{
"id": "CVE-2026-42214-a84aafe4",
"signature_type": "Function",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"function": "LuaState::executeAndReturn",
"file": "src/LuaState.h"
},
"deprecated": false,
"digest": {
"function_hash": "337949213693754003382358223221684508558",
"length": 215.0
}
},
{
"id": "CVE-2026-42214-b15eba87",
"signature_type": "Function",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"function": "NotepadNextApplication::setEditorLanguage",
"file": "src/NotepadNextApplication.cpp"
},
"deprecated": false,
"digest": {
"function_hash": "75772135435540555699795923793661978454",
"length": 1206.0
}
},
{
"id": "CVE-2026-42214-f4f26bfb",
"signature_type": "Function",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"function": "LuaState::execute",
"file": "src/LuaState.cpp"
},
"deprecated": false,
"digest": {
"function_hash": "116988486862519272601198894389565010955",
"length": 472.0
}
},
{
"id": "CVE-2026-42214-f89489fd",
"signature_type": "Line",
"source": "https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc",
"signature_version": "v1",
"target": {
"file": "src/NotepadNextApplication.cpp"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"159514146354964866758733404807098703484",
"88540750935803255505216947247146343590",
"134882200962840793835984483433769951350",
"151424348322476330378260111591397408300",
"5912212728257441712161429099750387959",
"252547486008793221397518887165441809247",
"33739817178907059118179565545261241814",
"274591313994691347642594390402153946835",
"53281620691175540460534856400213941782",
"298722541942490786691728351675751251419",
"287793142889164977855936307279147444076",
"219852586942829105752350807814728082512",
"146084621919606221296088463329692551909",
"78713617845724609337449000922720538509",
"264933594689023930095849161089495627261",
"71645423553311942348563934012489415048",
"139862993513195146014992012821675032873",
"108754364590688213841810314442523227788",
"127379450238396389953990965900742403932",
"246066870291839992200006096684863271127",
"281581681280483937135842986792064429382",
"330550847343729872817686865819268870822",
"254405246100211359085162737288934825181",
"211429485861280660535156861797265877799",
"111454635380904378119316172616199523248"
]
}
}
]
"2026-07-15T17:43:43Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42214.json"