A high-severity code injection vulnerability (CVE-2026-42214) has been disclosed in NotepadNext, the popular open-source cross-platform reimplementation of Notepad++, allowing attackers to execute arbitrary system commands simply by tricking a victim into opening a specially crafted file.
Tracked under GHSA-m5fq-c9x5-w54g and assigned a CVSS v3.1 score of 7.8, the flaw resides in how the application handles file extension-based language detection, and it requires no special privileges to exploit.
NotepadNext is a C++/Qt-based, cross-platform reimplementation of the widely used Notepad++ text editor, developed by GitHub user dail8859. Designed to replicate the look, feel, and plugin ecosystem of Notepad++, it has attracted developers, writers, and system administrators seeking a lightweight editor across macOS and Linux.
Like its inspiration, NotepadNext embeds a Lua scripting engine to handle features such as syntax highlighting and language detection, and it is precisely this scripting integration that introduced the critical flaw now under active disclosure.
CVE-2026-42214: NotepadNext Lua Injection Vulnerability
The vulnerability originates in the detectLanguageFromExtension() function located in src/NotepadNextApplication.cpp at line 317. This function identifies the syntax-highlighting language of a file based on its extension.
To accomplish this, it constructs a Lua script at runtime by directly inserting the file extension retrieved via Qt QFileInfo::suffix() into a Lua string template using QString::arg(). The critical problem: there is zero sanitization, escaping, or validation of the extension value before it is injected into the Lua source code.
This means any attacker-controlled string inserted as a file extension becomes executable Lua code. Compounding the risk, the application’s LuaState::LuaState() constructor calls luaL_openlibs() unconditionally, which loads the full Lua standard library, including the os, io, and package modules into every Lua execution context.
This transforms what might be a sandboxed script execution into a fully capable command shell, reachable through file extension manipulation alone.
An attacker does not need network access, a server exploit, or elevated privileges to weaponize this vulnerability. The attack chain is deceptively simple:
- The attacker crafts a file whose extension contains injected Lua code, e.g.,
evil." load("...")()-- QFileInfo::suffix()extracts everything after the last dot in the filename, returning the injected payload as the “extension”- The payload is embedded directly into the Lua script template without escaping
- When the victim opens the file via File → Open, drag-and-drop, CLI argument, or session restore
detectLanguageFromExtension()is called automatically - Lua executes the injected code with the victim’s full OS user privileges
To bypass POSIX filename dot restrictions that could cause QFileInfo::suffix() to truncate the payload prematurely, the researcher encoded the OS command using Lua decimal escape sequences (\NNN), producing a dot-free payload string that survives intact through the suffix extraction.
A proof-of-concept (PoC) was confirmed on macOS, where executing the malicious file against NotepadNext v0.13 automatically launched Calculator.app, demonstrating live remote code execution (RCE) without any user interaction beyond opening the file.
Affected Platforms
According to the CVSS v3.1 breakdown AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H the vulnerability is rated High with a base score of 7.8. Exploitation grants:
- Arbitrary code execution under the victim’s user account
- Full filesystem read/write via Lua’s
iolibrary - No authentication or privileges required, only user interaction (opening a file)
- Multiple attack vectors: File → Open dialog, CLI argument, session restore, drag-and-drop
The exploit is most effective on macOS and Linux, where POSIX filesystems permit double quotes (") in filenames. Windows NTFS does not allow " in filenames, which limits exploitability on that platform, though the underlying code injection flaw still exists in the codebase.
Patch and Mitigations
All versions of NotepadNext up to and including v0.13 are confirmed vulnerable. The maintainer, dail8859, has released version 0.14 as the patched release. Users should update immediately.
For those who cannot update immediately, the security researcher credited with the discovery, dohyun4455, identified three remediation options:
- Option 1 (Preferred): Pass the file extension as a Lua global variable using
lua_pushstring()andlua_setglobal()rather than interpolating it into the script source. This eliminates injection risk. - Option 2: Sanitize the extension before use by escaping or stripping characters that break Lua string literals, including backslashes, double quotes, and newline characters.
- Option 3: Restrict the Lua sandbox, remove the unconditional
luaL_openlibs()call, and only load the specific Lua libraries actually needed for language detection. Theos,io, andpackagelibraries are entirely unnecessary for syntax detection.
Notably, the researcher also flagged that the setLanguage() function at line 275 may be vulnerable to the same injection pattern, as it similarly constructs Lua via QString::arg() with potentially user-controlled input. Both LuaState.cpp:82 and LuaExtension.cpp:696 call luaL_openlibs(), widening the attack surface.
This disclosure comes amid a broader pattern of security scrutiny of open-source text editors. Earlier in 2026, the Notepad++ project revealed details of a 2025 supply-chain compromise attributed to state-sponsored actors, where malicious installers were delivered to high-value targets via a hijacked update mechanism.
CVE-2026-42214 in NotepadNext is a distinct project and codebase. Still, the timing reinforces growing concerns about Lua and scripting engine attack surfaces in developer tools, a class of software often granted implicit trust on developer workstations.
Code injection vulnerabilities classified under CWE-94 remain among the most impactful categories in the MITRE Common Weakness Enumeration, precisely because they allow attackers to subvert program logic without requiring traditional memory corruption techniques.
For open-source projects that embed scripting runtimes for extensibility, such as NotepadNext’s Lua integration, ensuring that user-controlled data never reaches a code execution path without sanitization is a foundational security requirement.
FAQ
Q1: What is CVE-2026-42214?
CVE-2026-42214 is a high-severity Lua code injection vulnerability in NotepadNext (versions ≤ 0.13) that allows arbitrary command execution by opening a file with a maliciously crafted extension.
Q2: Which versions of NotepadNext are affected?
All NotepadNext releases up to and including version 0.13 are vulnerable; the issue is patched in version 0.14.
Q3: Does this vulnerability affect Windows users?
Windows NTFS does not allow double quotes in filenames, which limits the standard exploit path, but the underlying unsanitized code injection flaw still exists in the codebase on all platforms.
Q4: How can users protect themselves from this vulnerability?
Users should immediately upgrade NotepadNext to version 0.14, which contains the official patch addressing unsanitized Lua interpolation in the detectLanguageFromExtension() function.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
