CVE-2026-42214
Lua Code Injection in Notepad Next
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dail8859 | notepadnext | to 0.14 (exc) |
| dail8859 | notepadnext | 0.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-42214 is a high-severity code injection vulnerability in NotepadNext versions 0.13 and earlier. It occurs in the detectLanguageFromExtension() function, which directly inserts a file's extension into a Lua script without sanitizing it. An attacker can craft a filename with a malicious extension containing Lua code that executes automatically when the victim opens the file in NotepadNext.
Because the Lua environment loads full system libraries like os, io, and package unconditionally, the injected Lua code can execute arbitrary commands with the victim's privileges. This vulnerability can be triggered through file open dialogs, drag-and-drop, command-line arguments, or session restore.
The exploit is more effective on macOS and Linux due to their filesystem support for special characters in filenames, while Windows is less affected due to NTFS restrictions.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary code on your system with the same privileges as the user running NotepadNext. This can lead to unauthorized actions such as reading, modifying, or deleting files, installing malware, or taking control of the affected system.
Because the injected Lua code has access to powerful system libraries, the attacker can perform a wide range of malicious activities, potentially compromising system integrity, confidentiality, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying files with suspicious or crafted filename extensions that contain Lua code, which are then opened in vulnerable versions (0.13 and earlier) of NotepadNext. Since the exploit triggers when such files are opened, monitoring for unusual file extensions or filenames containing Lua code patterns is key.
There are no specific commands provided in the resources to detect this vulnerability directly on a network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade NotepadNext to version 0.14 or later, where the vulnerability has been patched by sanitizing the file extension input and restricting Lua code execution.
Until the upgrade is applied, avoid opening files with untrusted or suspicious filename extensions in NotepadNext, especially those that could contain Lua code.
Additional recommended mitigations include restricting the Lua sandbox environment to exclude unnecessary libraries such as os, io, and package, and sanitizing or validating file extensions before processing.