CVE-2022-32168

HIGH

Notepad-plus-plus Notepad++ < 8.4.5 - Uncontrolled Search Path

Title source: rule

Description

Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (UxTheme.dll) with his own dll and run arbitrary code in the context of Notepad++.

References (2)

[Patch, Third Party Advisory] https://github.com/notepad-plus-plus/notepad-plus-plus/commit/85d7215d9b3e0d5a8433fc31aec4f2966821051e

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://www.mend.io/vulnerability-database/CVE-2022-32168

Scores

CVSS v3 7.8

EPSS 0.0008

EPSS Percentile 23.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-427

Status published

Affected Products (1)

notepad-plus-plus/notepad\+\+ < 8.4.5

Timeline

Published Sep 28, 2022

Tracked Since Feb 18, 2026