CVE-2026-6539

Name of the Vulnerable Software and Affected Versions Notepad++ version 8.9.3

Description A format string injection exists in the Find Results panel handler. This occurs when the application processes a maliciously crafted nativeLang.xml language pack file. An attacker can distribute a poisoned language pack through community channels; when a user performs search operations, the application triggers format string interpretation. This can lead to access violations, denial of service, and the potential leakage of stack or register contents (information disclosure).

Recommendations As a temporary workaround, avoid installing or using untrusted nativeLang.xml language packs from community channels.