Notepad-plus-plus Notepad++ — known CVE vulnerabilities
Every CVE whose affected-product data names Notepad-plus-plus Notepad++, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (20)
CVE-2023-47452 — CVSS 7.8 (high): An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the…
CVE-2026-52884 — CVSS 7.8 (high): Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking…
CVE-2026-48800 — CVSS 7.8 (high): Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in…
CVE-2022-32168 — CVSS 7.8 (high): Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his…
CVE-2023-40031 — CVSS 7.8 (high): Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer write overflow in…
CVE-2026-48778 — CVSS 7.8 (high): Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml…
CVE-2026-46710 — CVSS 7.8 (high): Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation…
CVE-2019-16294 — CVSS 7.8 (high): SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a…
CVE-2026-25926 — CVSS 7.3 (high): Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2…
CVE-2022-31901 — CVSS 6.5 (medium): Buffer overflow in function Notepad_plus::addHotSpot in Notepad++ v8.4.3 and earlier allows attackers to crash the application via two…
CVE-2026-52885 — CVSS 6.3 (medium): Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at…
CVE-2026-5525 — CVSS 6.0 (medium): A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and…
CVE-2023-40164 — CVSS 5.5 (medium): Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in…
CVE-2023-40036 — CVSS 5.5 (medium): Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in…
CVE-2023-40166 — CVSS 5.5 (medium): Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer read overflow in…
CVE-2023-6401 — CVSS 5.3 (medium): A vulnerability classified as problematic was found in NotePad++ up to 8.1. Affected by this vulnerability is an unknown functionality of…
CVE-2026-48770 — CVSS 5.0 (medium): Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send…
CVE-2026-6539 — CVSS 4.4 (medium): Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of…