{"id":"CVE-2026-42214","summary":"Improper Control of Generation of Code ('Code Injection') in dail8859/NotepadNext","details":"Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14.","aliases":["GHSA-m5fq-c9x5-w54g"],"modified":"2026-07-15T17:43:43.170724Z","published":"2026-05-07T18:14:20.246Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42214.json"},"references":[{"type":"WEB","url":"https://github.com/dail8859/NotepadNext/releases/tag/v0.14"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42214.json"},{"type":"ADVISORY","url":"https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42214"},{"type":"FIX","url":"https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dail8859/notepadnext","events":[{"introduced":"0"},{"fixed":"0c63b760ae82bb0eabbf070030454bae9df9ab5b"},{"fixed":"f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc"}],"database_specific":{"cpe":"cpe:2.3:a:dail8859:notepad_next:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"0.14"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["v0.13","v0.12","v0.11","v0.10","v0.9","v0.8","v0.7","v0.6.4","v0.6.3","v0.6.2","v0.6.1","v0.6","v0.5.6","v0.5.5","v0.5.4","v0.5.3","v0.5.2","v0.5.1","v0.5","v0.4.9","v0.4.8","v0.4.7","v0.4.6","v0.4.5","v0.4.4","v0.4.3","v0.4.2","v0.4.1","v0.4","v0.3.3","v0.3.2","v0.3.1","v0.3","v0.2","v0.1"],"database_specific":{"vanir_signatures_modified":"2026-07-15T17:43:43Z","vanir_signatures":[{"target":{"file":"src/LuaState.cpp"},"deprecated":false,"digest":{"line_hashes":["138802058061476443278787849427448058694","175415135317334336083455012004015384585","220414321791627074601727806351120472693","59100952895690828830541582260488773465","258031075993636895132267882342139202857","237584566311416248723487145588578429105","164617372603088613173906027067331573902","187638334541224879499712305820114591603"],"threshold":0.9},"id":"CVE-2026-42214-04d13bab","signature_type":"Line","signature_version":"v1","source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc"},{"source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc","target":{"function":"LuaState::executeAndReturn","file":"src/LuaState.h"},"deprecated":false,"digest":{"function_hash":"278384452406572813913479568699362296963","length":297},"id":"CVE-2026-42214-06ec7f01","signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc","target":{"file":"src/LuaState.h"},"deprecated":false,"digest":{"line_hashes":["98407155446569127464717696212149624298","278813501015606356332772264079729074940","110130989803064336552445533642964840608","85293720348142264136453172883532542636","28327739299598594559664035382073049364","325580452133084132031132236934456628912","44118655598628252869165870009548304460","32917554132038487641507384199011782372","182509934177665497511771408822690669691","269148519591321019820463710218766533897","49544593069211707057082026266070110149","142448093913070343687947995222082786097","268938167956047174084367247973030205652","173597319639728290300721260803454872357","154730069710704756254503340627201496104","134579392615152434115133663729101047996","235306426835975362026081334781515274311","302143955422347521505704033969117598204","163594068300777649847565587428922102510","233533364035612545594550057021288557959","58555472332680051777523447229985137494","105873573984877285967457362665133409114","322388555541061917211545092460592874419","270838108146273626108532425576456650816","206143451134003374977836233891719878692","228406313443472722522303244967671361699","44901635326800917896002637476447973991","309708534209091964082786744501803248569","326916451317507898945054456041087699920","115377745278643926325066855058096904527","23302466891729525568100898311043560726","210374346235899047967438559683529579162","18371524364574784614235163628718544308","293873189548732248974503518369842230213","23732720687373957357731114394197999342"],"threshold":0.9},"id":"CVE-2026-42214-43f4e62e","signature_type":"Line","signature_version":"v1"},{"target":{"file":"src/NotepadNextApplication.cpp","function":"NotepadNextApplication::detectLanguageFromContents"},"deprecated":false,"digest":{"function_hash":"318111221392580164793327393944469114392","length":484},"id":"CVE-2026-42214-44752c2d","signature_type":"Function","signature_version":"v1","source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc"},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc","target":{"function":"LuaState::executeAndReturn","file":"src/LuaState.h"},"deprecated":false,"digest":{"function_hash":"232688490001681916499554031221861644824","length":214},"id":"CVE-2026-42214-5ce78ae1"},{"source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc","target":{"file":"src/NotepadNextApplication.cpp","function":"NotepadNextApplication::detectLanguageFromExtension"},"deprecated":false,"digest":{"function_hash":"37896125608251213115593881505072700482","length":527},"id":"CVE-2026-42214-8753e7df","signature_type":"Function","signature_version":"v1"},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc","target":{"file":"src/NotepadNextApplication.cpp","function":"NotepadNextApplication::getFileDialogFilterForLanguage"},"deprecated":false,"digest":{"function_hash":"307574637040017441047650927651413303184","length":244},"id":"CVE-2026-42214-9e6c71a2"},{"signature_version":"v1","source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc","target":{"file":"src/LuaState.cpp","function":"LuaState::executeFile"},"deprecated":false,"digest":{"function_hash":"20852210011443577896568674058291064097","length":272},"id":"CVE-2026-42214-a2bd6f7b","signature_type":"Function"},{"id":"CVE-2026-42214-a84aafe4","signature_type":"Function","signature_version":"v1","source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc","target":{"file":"src/LuaState.h","function":"LuaState::executeAndReturn"},"deprecated":false,"digest":{"function_hash":"337949213693754003382358223221684508558","length":215}},{"target":{"file":"src/NotepadNextApplication.cpp","function":"NotepadNextApplication::setEditorLanguage"},"deprecated":false,"digest":{"function_hash":"75772135435540555699795923793661978454","length":1206},"id":"CVE-2026-42214-b15eba87","signature_type":"Function","signature_version":"v1","source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc"},{"id":"CVE-2026-42214-f4f26bfb","signature_type":"Function","signature_version":"v1","source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc","target":{"file":"src/LuaState.cpp","function":"LuaState::execute"},"deprecated":false,"digest":{"length":472,"function_hash":"116988486862519272601198894389565010955"}},{"source":"https://github.com/dail8859/notepadnext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc","target":{"file":"src/NotepadNextApplication.cpp"},"deprecated":false,"digest":{"line_hashes":["159514146354964866758733404807098703484","88540750935803255505216947247146343590","134882200962840793835984483433769951350","151424348322476330378260111591397408300","5912212728257441712161429099750387959","252547486008793221397518887165441809247","33739817178907059118179565545261241814","274591313994691347642594390402153946835","53281620691175540460534856400213941782","298722541942490786691728351675751251419","287793142889164977855936307279147444076","219852586942829105752350807814728082512","146084621919606221296088463329692551909","78713617845724609337449000922720538509","264933594689023930095849161089495627261","71645423553311942348563934012489415048","139862993513195146014992012821675032873","108754364590688213841810314442523227788","127379450238396389953990965900742403932","246066870291839992200006096684863271127","281581681280483937135842986792064429382","330550847343729872817686865819268870822","254405246100211359085162737288934825181","211429485861280660535156861797265877799","111454635380904378119316172616199523248"],"threshold":0.9},"id":"CVE-2026-42214-f89489fd","signature_type":"Line","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42214.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}