Notepad++ TeamPatching for Windows Mac Linux
CVE Vulnerabilities for Notepad++
| CVE | Published | Severity | Details | Exploitability | Impact | Vector |
|---|---|---|---|---|---|---|
| CVE‑2023‑6401 | 2023‑11‑30 15:15:10 | HIGH (8) | A vulnerability classified as problematic was found in NotePad++ up to 8.1. Affected by this vulnerability is an unknown functionality of the file dbghelp.exe. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The identifier VDB-246421 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2 | 6 | LOCAL |
| CVE‑2023‑47452 | 2023‑11‑30 21:15:09 | HIGH (8) | An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory. | 2 | 6 | LOCAL |
| CVE‑2023‑40166 | 2023‑08‑25 21:15:09 | MEDIUM (6) | Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer read overflow in `FileManager::detectLanguageFromTextBegining `. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++. | 2 | 4 | LOCAL |
| CVE‑2023‑40164 | 2023‑08‑25 21:15:09 | MEDIUM (6) | Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in `nsCodingStateMachine::NextStater`. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++. | 2 | 4 | LOCAL |
| CVE‑2023‑40036 | 2023‑08‑25 20:15:09 | MEDIUM (6) | Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in `CharDistributionAnalysis::HandleOneChar`. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++. | 2 | 4 | LOCAL |
| CVE‑2023‑40031 | 2023‑08‑25 20:15:09 | HIGH (8) | Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer write overflow in `Utf8_16_Read::convert`. This issue may lead to arbitrary code execution. As of time of publication, no known patches are available in existing versions of Notepad++. | 2 | 6 | LOCAL |
| CVE‑2022‑32168 | 2022‑09‑28 09:15:10 | HIGH (8) | Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context of Notepad++. | 2 | 6 | LOCAL |
| CVE‑2022‑31902 | 2023‑02‑01 02:15:08 | MEDIUM (6) | Notepad++ v8.4.1 was discovered to contain a stack overflow via the component Finder::add(). | 2 | 4 | LOCAL |
| CVE‑2022‑31901 | 2023‑01‑19 23:15:11 | MEDIUM (7) | Buffer overflow in function Notepad_plus::addHotSpot in Notepad++ v8.4.3 and earlier allows attackers to crash the application via two crafted files. | 3 | 4 | NETWORK |
| CVE‑2019‑16294 | 2019‑09‑14 16:15:11 | HIGH (8) | SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file. | 2 | 6 | LOCAL |
| CVE‑2017‑8803 | 2017‑07‑05 20:29:03 | HIGH (8) | Notepad++ 7.3.3 (32-bit) with Hex Editor Plugin v0.9.5 might allow user-assisted attackers to execute code via a crafted file, because of a "Data from Faulting Address controls Code Flow" issue. One threat model is a victim who obtains an untrusted crafted file from a remote location and issues several user-defined commands. | 2 | 6 | LOCAL |
What applications does Lavawall® monitor?
Lavawall monitors patches for over 7,500 applications. This is a summary of the most popular applications.Click here for the full list.
Click the applications below for the current version and known vulnerabilities.
Logos are property of their respective trademark holders and are not affiliated with ThreeShield or Lavawall. We have not audited the security of most of the listed tools.
The above listing includes products that Lavawall® monitors through public information and/or proprietary statistical analysis.
Although we do have a partner relationship with some of the listed products and companies, they do not necessarily endorse Lavawall® or have integrations with our systems.