CVE-2026-3008

MEDIUM

Vulnerability in Notepad++

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-3008. PoCs published by llgsjsm.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-3008, a format string injection vulnerability in Notepad++ 8.9.3. The vulnerability arises from unvalidated format strings in `nativeLang.xml` being passed to `wsprintfW`, leading to DoS and information disclosure.

Description

Successful exploitation of the string injection vulnerability could allow an attacker to obtain memory address information or crash the application.

Exploits (1)

nomisec WRITEUP
by llgsjsm · poc
https://github.com/llgsjsm/cve-2026-3008

This repository provides a detailed technical analysis of CVE-2026-3008, a format string injection vulnerability in Notepad++ 8.9.3. The vulnerability arises from unvalidated format strings in `nativeLang.xml` being passed to `wsprintfW`, leading to DoS and information disclosure.

Classification
Writeup 100%
Attack Type
Dos | Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Notepad++ 8.9.3
No auth needed
Prerequisites: Tampered `nativeLang.xml` file in the Notepad++ directory or AppData folder · User interaction to perform a search operation
devstral-2 · analyzed Apr 27, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 6.6
EPSS 0.0022
EPSS Percentile 12.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-134
Status published
Products (1)
Notepad++/Notepad++ 8.9.3
Published Apr 27, 2026
Tracked Since Apr 27, 2026