CVE-2026-42214
Awaiting Analysis Awaiting Analysis - Queue
Lua Code Injection in Notepad Next

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-19
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42214
EUVD
EUVD-2026-28410
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dail8859 notepadnext to 0.14 (exc)
dail8859 notepadnext 0.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42214 is a high-severity code injection vulnerability in NotepadNext versions 0.13 and earlier. It occurs in the detectLanguageFromExtension() function, which directly inserts a file's extension into a Lua script without sanitizing it. An attacker can craft a filename with a malicious extension containing Lua code that executes automatically when the victim opens the file in NotepadNext.

Because the Lua environment loads full system libraries like os, io, and package unconditionally, the injected Lua code can execute arbitrary commands with the victim's privileges. This vulnerability can be triggered through file open dialogs, drag-and-drop, command-line arguments, or session restore.

The exploit is more effective on macOS and Linux due to their filesystem support for special characters in filenames, while Windows is less affected due to NTFS restrictions.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code on your system with the same privileges as the user running NotepadNext. This can lead to unauthorized actions such as reading, modifying, or deleting files, installing malware, or taking control of the affected system.

Because the injected Lua code has access to powerful system libraries, the attacker can perform a wide range of malicious activities, potentially compromising system integrity, confidentiality, and availability.

Detection Guidance

This vulnerability can be detected by identifying files with suspicious or crafted filename extensions that contain Lua code, which are then opened in vulnerable versions (0.13 and earlier) of NotepadNext. Since the exploit triggers when such files are opened, monitoring for unusual file extensions or filenames containing Lua code patterns is key.

There are no specific commands provided in the resources to detect this vulnerability directly on a network or system.

Mitigation Strategies

The primary mitigation step is to upgrade NotepadNext to version 0.14 or later, where the vulnerability has been patched by sanitizing the file extension input and restricting Lua code execution.

Until the upgrade is applied, avoid opening files with untrusted or suspicious filename extensions in NotepadNext, especially those that could contain Lua code.

Additional recommended mitigations include restricting the Lua sandbox environment to exclude unnecessary libraries such as os, io, and package, and sanitizing or validating file extensions before processing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42214. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart