CVE-2026-6539
Received Received - Intake
Format String Injection in Notepad++ via Malicious Language Pack

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: VulnCheck

Description
Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6539
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
notepad-plus-plus notepad++ 8.9.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-134 The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Notepad++ version 8.9.3 and involves a format string injection in the Find Results panel handler.

Attackers can craft a malicious nativeLang.xml language pack file that, when used, triggers format string interpretation during search operations.

This can cause denial of service and information disclosure by causing access violations and potentially leaking stack or register contents.

The malicious language pack can be distributed through community channels, making it possible for users to unknowingly trigger the vulnerability.

Impact Analysis

The vulnerability can lead to denial of service, causing the application to crash or become unusable.

It can also result in information disclosure by leaking sensitive data such as stack or register contents.

This could potentially expose internal application data or memory contents to an attacker.

Compliance Impact

The provided information does not specify how the format string injection vulnerability in Notepad++ 8.9.3 (CVE-2026-6539) impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking if your Notepad++ installation is a version prior to 8.9.4, as versions before this are affected by the format string injection vulnerability in the Find Results panel handler.

Specifically, detection involves verifying if any malicious or poisoned nativeLang.xml language pack files are present, as these files trigger the vulnerability when search operations are performed.

There are no explicit commands provided in the resources to detect the vulnerability or scan for malicious language packs.

Mitigation Strategies

The immediate mitigation step is to update Notepad++ to version 8.9.4 or later, as this version addresses the format string injection vulnerability (CVE-2026-6539) by fixing the crash issue related to the nativeLang.xml file.

Additionally, avoid using or installing untrusted or community-distributed nativeLang.xml language pack files to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart