Dohyun4455

**Name of the Vulnerable Software and Affected Versions** Notepad Next versions prior to 0.14 **Description** The `detectLanguageFromExtension()` function interpolates a file extension directly into a Lua script without sanitization. An attacker can craft a filename with an extension containing Lua code that executes automatically when the file is opened. Since `luaL openlibs()` is called unconditionally, the injected code has access to the full `os`, `io`, and `package` libraries, allowing for arbitrary command execution. **Recommendations** Update to version 0.14.