Two dangerous vulnerabilities CVE-2026-3008 and CVE-2026-6539 have been discovered in Notepad++ version 8.9.3. A format string injection flaw that can crash the application and leak sensitive memory data. Singapore’s Cybersecurity Agency CSA has issued an urgent advisory and advised to update to version 8.9.4 immediately.
One of the most trusted tools of developers, system administrators, and security analysts is today under a serious security threat. The Cybersecurity Agency of Singapore (CSA) has issued a CVE ID named CVE-2026-3008 for a vulnerability reported in Notepad++ and confirmed that successful exploitation of this string injection vulnerability could allow an attacker to obtain memory address information or crash the application.
This vulnerability affects Notepad++ version 8.9.3 a version that is currently actively installed on millions of systems worldwide and another flaw CVE-2026-6539 has also been addressed by the same patch. ACN has confirmed that a public Proof of Concept (PoC) exploit for CVE-2026-3008 is already available on GitHub which meaning organizations that have not yet updated could face real and immediate exploitation.
Find in Files Starting Point of the Issue
This vulnerability is rooted in the way Notepad++ processes language and localization configuration files. When a user uses the popular Find in Files search feature and the application fails to safely validate text input contained in the find-result-hits parameter within the nativeLang.xml file.
This is a classic format string injection vulnerability. If an attacker introduces a maliciously crafted nativeLang.xml file containing specific format string payloads such as the %s specifier onto a victims system and they can directly manipulate the applications behavior.
String injection flaws can sometimes occur in conjunction with other vulnerabilities and lead to more serious outcomes and while the stated impact of this flaw is memory disclosure and denial-of-service, organizations should not assume that the risk is limited to this.
Memory disclosure vulnerabilities are often used to bypass security mitigations such as ASLR (Address Space Layout Randomization) which makes it much easier for attackers to develop next-stage exploits.
CVE-2026-6539 also relates to improper parsing of format strings in the nativeLang.xml file and could lead to application crashes or memory disclosure. Both flaws are different manifestations of the same root cause.
This is not just an issue for individual users successful exploitation could disrupt the workflows of developers, system administrators and the security analysts who rely on Notepad++ daily.
In enterprise environments where Notepad++ is mass-deployed on developer workstations a malicious nativeLang.xml file could be silently distributed via shared network resources or poisoned software update channels without IT teams even noticing.
Patch Released Update Immediately
Notepad++ Product Owner Hazley Samsudin has addressed both CVE-2026-3008 and CVE-2026-6539 with the release of version 8.9.4. This fix resolves crash behavior caused by improperly parsing format strings from the nativeLang.xml file and all the details of the patch are publicly documented on the official Notepad++ GitHub repository under issue #17960.
CSA has advised users and administrators to immediately update to Notepad++ version 8.9.4 verify the integrity of the downloaded installer with official checksums and monitor systems for any unusual application behavior that could indicate prior exploitation.
Organizations should prioritize this task within their standard patch management cycles. Inventory Notepad++ installations across endpoints server environments and the development tooling and deploy version 8.9.4.
Users who use custom nativeLang.xml configurations should especially apply this update without delay and immediately avoid custom XML language packs downloaded from any third-party or unverified sources.