CVE-2026-6539
MEDIUM
4,6
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: none
User Interaction: active
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM
4,4
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: low
Integrity: none
Availability: low
Description
AI Translation Available
Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0001
Percentile
0,0th
Updated
Single Data Point
Only one EPSS measurement is available for this CVE. Trend analysis requires multiple data points over time.
134
Use of Externally-Controlled Format String
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Potential Impacts:
Read Memory
Modify Memory
Execute Unauthorized Code Or Commands
Applicable Platforms
Languages:
C, C++, Not Language-Specific, Perl
Application
Notepad\+\+ by Notepad-Plus-Plus
CPE Identifier
View Detailed Analysis
cpe:2.3:a:notepad-plus-plus:notepad\+\+:8.9.3:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://notepad-plus-plus.org/news/v894-released/
https://www.vulncheck.com/advisories/notepad-format-string-injection-via-native…