Hazley Samsudin

**Name of the Vulnerable Software and Affected Versions** Notepad++ version 8.9.3 **Description** A format string injection exists in the Find Results panel handler. This occurs when the application processes a maliciously crafted `nativeLang.xml` language pack file. An attacker can distribute a poisoned language pack through community channels; when a user performs search operations, the application triggers format string interpretation. This can lead to access violations, denial of service, and the potential leakage of stack or register contents (information disclosure). **Recommendations** As a temporary workaround, avoid installing or using untrusted `nativeLang.xml` language packs from community channels.

**Name of the Vulnerable Software and Affected Versions** Notepad++ versions prior to 8.9.4 **Description** A string injection issue exists in the FindInFiles search function due to flaws in the formatting string processing mechanism. Successful exploitation could allow an attacker to obtain sensitive memory address information or cause the application to crash (denial of service) by using a specially crafted file. This risk is particularly relevant for users utilizing custom `nativeLang.xml` localization files. **Recommendations** Update to version 8.9.4 or later. Avoid using untrusted configuration or localization files.