CVE Daily
← All tags

Tag: Notepad++

All CVEs associated with "Notepad++". Page 1/1 • 49 CVEs.

About “Notepad++”

A curated feed of “Notepad++”-related CVEs appears below. We currently track 49 CVEs for this tag (all time). In the last 365 days, 17 were published. Average CVSS is 6.5 (all time; 6.7 over 365d), and 55% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE-426 - Untrusted Search Path, CWE-789 - Memory Allocation with Excessive Size Value.

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: notepad-plus-plus

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
8.98.9.6.2-
8.88.8.9 Expired
8.78.7.9 Expired
8.68.6.9 Expired
8.58.5.8 Expired
8.48.4.9 Expired
8.38.3.3 Expired
8.28.2.1 Expired
8.18.1.9.3 Expired
7.97.9.5 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Notepad++”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-10
High

CVE-2021-47944

memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Attackers can generate a p…

CVSS: 7.5 CWE: CWE-789 - Memory Allocation with Excessive Size Value View on NVD
2026-05-07
High

CVE-2026-42214

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script…

CVSS: 7.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2026-04-30
Medium

CVE-2026-6539

Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious…

CVSS: 4.4 CWE: CWE-134 - Use of Externally-Controlled Format String View on NVD
2026-04-10
Medium

CVE-2026-5525

A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trai…

CVSS: 6.0 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
2026-03-31
Medium

CVE-2026-34401

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by defa…

CVSS: 6.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2026-03-16
High

CVE-2026-32616

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendma…

CVSS: 8.2 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2026-03-09
High

CVE-2026-25866

MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening r…

CVSS: 7.8 CWE: CWE-428 - Unquoted Search Path or Element View on NVD
2026-02-19
High

CVE-2026-25926

Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable…

CVSS: 7.3 CWE: CWE-426 - Untrusted Search Path View on NVD
2026-02-10
High

CVE-2026-20841

Improper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code locally.

CVSS: 7.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2026-02-03
High

CVE-2025-15556

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically veri…

CVSS: 7.5 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2026-01-14
High

CVE-2026-23512

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe wi…

CVSS: 8.6 CWE: CWE-426 - Untrusted Search Path View on NVD
Medium

CVE-2025-68966

Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 5.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2025-68965

Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 4.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-11-28
Medium

CVE-2025-64311

Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 5.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-09-26
High

CVE-2025-56383

Notepad++ v8.8.3 has a DLL hijacking vulnerability, which can replace the original DLL file to execute malicious code. NOTE: this is disputed by multiple parties because the behavior only occurs when…

CVSS: 8.4 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2025-09-22
Medium

CVE-2025-57927

Cross-Site Request Forgery (CSRF) vulnerability in Stephanie Leary Dashboard Notepad dashboard-notepad allows Cross Site Request Forgery.This issue affects Dashboard Notepad: from n/a through <= 1.42.

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2025-06-23
High

CVE-2025-49144

Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to ga…

CVSS: 7.3 CWE: CWE-272 - Least Privilege Violation View on NVD
2025-04-17
High

CVE-2025-39441

Cross-Site Request Forgery (CSRF) vulnerability in swedish boy Dashboard Notepads dashboard-notepads allows Stored XSS.This issue affects Dashboard Notepads: from n/a through <= 1.2.1.

CVSS: 7.1 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2024-08-08
Low

CVE-2024-42036

Access permission verification vulnerability in the Notepad module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 2.5 CWE: CWE-285 - Improper Authorization View on NVD
2023-11-30
High

CVE-2023-47452

An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory.

CVSS: 7.8 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Medium

CVE-2023-6401

A vulnerability classified as problematic was found in NotePad++ up to 8.1. Affected by this vulnerability is an unknown functionality of the file dbghelp.exe. The manipulation leads to uncontrolled…

CVSS: 5.3 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2023-08-25
Medium

CVE-2023-40166

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer read overflow in `FileManager::detectLanguageFromTextBegining `. The exploitability of t…

CVSS: 5.5 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
Medium

CVE-2023-40164

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in `nsCodingStateMachine::NextStater`. The exploitability of this issue…

CVSS: 5.5 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
Medium

CVE-2023-40036

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in `CharDistributionAnalysis::HandleOneChar`. The exploitability of this…

CVSS: 5.5 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
High

CVE-2023-40031

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer write overflow in `Utf8_16_Read::convert`. This issue may lead to arbitrary code executi…

CVSS: 7.8 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2023-06-19
Critical

CVE-2023-34159

Improper permission control vulnerability in the Notepad app.Successful exploitation of the vulnerability may lead to privilege escalation, which affects availability and confidentiality.

CVSS: 9.8 CWE: N/A View on NVD
2023-04-04
High

CVE-2022-48227

An issue was discovered in Acuant AsureID Sentinel before 5.2.149. It allows elevation of privileges because it opens Notepad after the installation of AssureID, Identify x64, and Identify x86, aka C…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2023-02-18
Low

CVE-2023-0909

A vulnerability, which was classified as problematic, was found in cxasm notepad-- 1.22. This affects an unknown part of the component Directory Comparison Handler. The manipulation leads to denial o…

CVSS: 3.3 CWE: CWE-404 - Improper Resource Shutdown or Release View on NVD
2023-02-01
Medium

CVE-2022-31902

Notepad++ v8.4.1 was discovered to contain a stack overflow via the component Finder::add().

CVSS: 5.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
2023-01-19
Medium

CVE-2022-31901

Buffer overflow in function Notepad_plus::addHotSpot in Notepad++ v8.4.3 and earlier allows attackers to crash the application via two crafted files.

CVSS: 6.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
2022-09-28
High

CVE-2022-32168

Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context of Notepad++.

CVSS: 7.8 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2021-10-14
High

CVE-2021-40854

AnyDesk before 6.2.6 and 6.3.x before 6.3.3 allows a local user to obtain administrator privileges by using the Open Chat Log feature to launch a privileged Notepad process that can launch other appl…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2019-09-14
High

CVE-2019-16294

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2018-04-19
Medium

CVE-2018-2878

Vulnerability in the PeopleSoft Enterprise HCM Shared Components component of Oracle PeopleSoft Products (subcomponent: Notepad). The supported version that is affected is 9.2. Easily exploitable vul…

CVSS: 6.1 CWE: N/A View on NVD
2017-07-05
High

CVE-2017-8803

Notepad++ 7.3.3 (32-bit) with Hex Editor Plugin v0.9.5 might allow user-assisted attackers to execute code via a crafted file, because of a "Data from Faulting Address controls Code Flow" issue. One…

CVSS: 7.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2015-08-15
Medium

CVE-2015-2423

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, Windows 10, Excel 2007 SP3, PowerPoin…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-01-02
Critical

CVE-2014-9456

Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Event element in an XML file. NOTE: this issue was originally incorrectly mapped…

CVSS: 10.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2008-08-01
High

CVE-2008-3436

The GUP generic update process in Notepad++ before 4.8.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse up…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2008-03-08
Critical

CVE-2008-1210

Stack-based buffer overflow in the ctags parsing code in Programmer's Notepad before 2.0.8.718 allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitr…

CVSS: 9.3 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2007-10-01
Medium

CVE-2007-5145

Multiple buffer overflows in system DLL files in Microsoft Windows XP, as used by Microsoft Windows Explorer (explorer.exe) 6.00.2900.2180, Don Ho Notepad++, unspecified Adobe Macromedia applications…

CVSS: 4.3 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2007-05-14
High

CVE-2007-2666

Stack-based buffer overflow in LexRuby.cxx (SciLexer.dll) in Scintilla 1.73, as used by notepad++ 4.1.1 and earlier, allows user-assisted remote attackers to execute arbitrary code via certain Ruby (…

CVSS: 7.6 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2006-11-04
Medium

CVE-2006-5702

Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-ar…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2006-03-19
High

CVE-2006-1274

Classic Planer in AntiVir PersonalEdition Classic 7 does not drop privileges before executing external programs, which allows local users to gain privileges via notepad.exe, which is used to display…

CVSS: 7.2 CWE: N/A View on NVD
2006-02-14
High

CVE-2006-0008

The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileg…

CVSS: 7.2 CWE: CWE-264 View on NVD
2006-01-26
Medium

CVE-2006-0442

Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notep…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2005-12-13
Low

CVE-2005-4192

Multiple cross-site scripting (XSS) vulnerabilities in templates/notepads/notepads.inc in Horde Mnemo Note Manager H3 before 2.0.3 allow remote authenticated users to inject arbitrary web script or H…

CVSS: 3.5 CWE: N/A View on NVD
2005-08-03
Medium

CVE-2005-2430

Multiple cross-site scripting (XSS) vulnerabilities in GForge 4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) forum_id or (2) group_id parameter to forum.php, (3) projec…

CVSS: 4.3 CWE: N/A View on NVD
2004-12-31
High

CVE-2004-2504

The GUI in Alt-N Technologies MDaemon 7.2 and earlier, including 6.8, executes child processes such as NOTEPAD.EXE with SYSTEM privileges when users create new files, which allows local users with ph…

CVSS: 7.2 CWE: N/A View on NVD
2004-10-21
High

CVE-2004-1624

Carbon Copy 6.0.5257 does not drop system privileges when opening external programs through the help topic interface, which allows local users to gain privileges via (1) the help topic interface in C…

CVSS: 7.2 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox