CVE-2026-42214

Name of the Vulnerable Software and Affected Versions Notepad Next versions prior to 0.14

Description The detectLanguageFromExtension() function interpolates a file extension directly into a Lua script without sanitization. An attacker can craft a filename with an extension containing Lua code that executes automatically when the file is opened. Since luaL openlibs() is called unconditionally, the injected code has access to the full os, io, and package libraries, allowing for arbitrary command execution.

Recommendations Update to version 0.14.