CVE-2026-3008

Name of the Vulnerable Software and Affected Versions Notepad++ versions prior to 8.9.4

Description A string injection issue exists in the FindInFiles search function due to flaws in the formatting string processing mechanism. Successful exploitation could allow an attacker to obtain sensitive memory address information or cause the application to crash (denial of service) by using a specially crafted file. This risk is particularly relevant for users utilizing custom nativeLang.xml localization files.

Recommendations Update to version 8.9.4 or later. Avoid using untrusted configuration or localization files.