ГлавнаяУязвимости → CVE-2026-42214
7.8высокая

CVE-2026-42214

Описание

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.

Затрагиваемое ПО
Dail8859 Notepad next
CVSS
Балл7.8 — высокая
ВекторCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Источники
https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccchttps://github.com/dail8859/NotepadNext/releases/tag/v0.14https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54ghttps://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g