Changeflow GovPing Data Privacy & Cybersecurity Italy ACN Publishes Critical Notepad++ CVE-2026...
Priority review Notice Added Final

Italy ACN Publishes Critical Notepad++ CVE-2026-3008 Alert With Public PoC

Favicon for www.acn.gov.it Italy ACN News alt
Published
Detected
Email

Summary

ACN published alert AL01/260427/CSIRT-ITA on April 27, 2026, disclosing that a public Proof of Concept exploit is available for CVE-2026-3008, a critical string injection vulnerability in Notepad++ version 8.9.3. The flaw affects the Find Results panel where the application uses an attacker-controlled string from nativeLang.xml as a format string in wsprintfW, potentially exposing sensitive data from process registers and stack memory. The vulnerability carries a CVSS v4.0 score of 10.0 and has been patched by the vendor; users are advised to update to the latest stable release immediately.

Published by ACN on acn.gov.it . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Italy ACN News alt for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 12 changes logged to date.

View original document View source feed page

What changed

ACN published a critical alert warning that a public Proof of Concept exploit exists for CVE-2026-3008, a string injection vulnerability in Notepad++ version 8.9.3. The vulnerability stems from improper use of the attribute from nativeLang.xml as a format string in the Windows wsprintfW function without variadic parameter validation, allowing an attacker who can modify nativeLang.xml to expose data from process registers and the stack. Affected parties using Notepad++ 8.9.3 should update to the latest stable release immediately, as the vendor has already released a patched version.

What to do next

  1. Update to the latest stable version of Notepad++

Archived snapshot

Apr 27, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Notepad++: PoC pubblico per lo sfruttamento della CVE-2026-3008

**
Alert**

AL01/260427/CSIRT-ITA

Condividi
- Facebook
- Twitter
- LinkedIn
- Whatsapp

Sintesi

Disponibile un Proof of Concept (PoC) per la CVE-2026-3008 – già sanata dal vendor – presente nel software “Notepad++”, noto editor di testo avanzato per Windows. Tale vulnerabilità, qualora sfruttata, potrebbe consentire ad un utente malintenzionato di compromettere la disponibilità del servizio o accedere a informazioni sensibili presenti nei registri e nello stack del processo Notepad++ in esecuzione sul sistema locale.

Tipologia

  • Denial of Service
  • Information Disclosure

Descrizione e potenziali impatti

La vulnerabilità, tracciata tramite la CVE-2026-3008 – di tipo “ String Injection ” e con CVSS v4.0 pari a 10 – interessa il pannello “Find Results” di Notepad++ 8.9.3 e in particolare la gestione delle stringhe localizzate provenienti dal file nativeLang.xml. Nel dettaglio, il problema risiede nelle modalità con cui Notepad++ inizializza il pannello dei risultati di ricerca: durante la formattazione dell’etichetta che indica il numero di risultati trovati, l’applicazione recupera il valore dell’attributo dal file nativeLang.xml e lo utilizza direttamente come stringa di formato in una chiamata alla funzione Windows wsprintfW, senza alcuna validazione preventiva e senza fornire parametri variadici [1] aggiuntivi. Poiché wsprintfW interpreta i caratteri di formato presenti nella stringa, un attaccante che abbia la possibilità di manipolare il file nativeLang.xml (ad esempio distribuendo un language pack apparentemente legittimo ma alterato) può inserire specificatori come %s o %08lx, al fine di compromettere la disponibilità del servizio o accedere a informazioni sensibili presenti nei registri e nello stack del processo Notepad++ in esecuzione sul sistema locale.

Prodotti e versioni affette

  • Notepad++, versione 8.9.3

Azioni di mitigazione

Ove non provveduto, si raccomanda di aggiornare tempestivamente le release vulnerabili all’ultima versione stabile disponibile.

[1] I parametri variadici sono gli argomenti che una funzione di formattazione utilizza per sostituire gli specificatori presenti nella stringa di formato. Nel caso della CVE‑2026‑3008, Notepad++ invoca wsprintfW passando una stringa controllabile come format string senza fornire i corrispondenti parametri variadici, causando l’interpretazione di dati residui nei registri e nello stack

CVE (1)

Cerca:
| CVE | POC | EXPLOITATION |
| --- | --- | --- |
| CVE-2026-3008 | Presente | - |

Riferimenti (3)

  1. https://nvd.nist.gov/vuln/detail/cve-2026-3008
  2. https://community.notepad-plus-plus.org/topic/27500/notepad-v8-9-4-release-candidate
  3. https://notepad-plus-plus.org/downloads

Change log

Versione Note Data
1.0 Pubblicato il 27-04-2026 27/04/2026

Impatto sistemico

Critico (79.48)

Argomenti

Data pubblicazione

27/04/26 ore 13:33

Data Ultimo Aggiornamento

27/04/26 ore 13:33

Related changes

Favicon for www.acn.gov.it Grafana Tempo High-Severity Vulnerability Fixed CVE-2026-21728
Priority review Apr 25, 2026 Italy ACN News alt Data Privacy & Cybersecurity
Favicon for www.acn.gov.it Ruby ERB Remote Code Execution Vulnerability CVE-2026-41316
Priority review Apr 23, 2026 Italy ACN News alt Data Privacy & Cybersecurity
Favicon for www.csirt.gov.it Bitwarden CLI Supply Chain Attack: Malicious Version 2026.4.0 Exfiltrates Credentials
Priority review Apr 24, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity

Get daily alerts for Italy ACN News alt

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.acn.gov.it
Italy ACN News alt acn.gov.it/portale/feedrss/-/journal/rss/20119/723192
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from ACN.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
ACN
Published
April 27th, 2026
Instrument
Notice
Branch
Executive
Source language
it
Legal weight
Non-binding
Stage
Final
Change scope
Minor

Who this affects

Applies to
Technology companies Manufacturers
Industry sector
5112 Software & Technology
Activity scope
Vulnerability disclosure Software patching Cybersecurity advisory
Geographic scope
IT IT

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Software & Technology

Browse Categories

Agriculture & Food Safety 84 AI Regulation 1 Banking & Finance 507 Consumer Protection 142 Courts & Legal 630 Data Privacy & Cybersecurity 153 Defense & National Security 52 Education 63 Energy 135 Environment 170 Government & Legislation 529 Healthcare 1 Healthcare & Life Sciences 412 Immigration 11 Insurance 90 Labor & Employment 196 Pharma & Drug Safety 13 Real Estate & Housing 76 Securities & Markets 178 Tax 118 Telecom & Technology 57 Trade & Sanctions 167 Transportation 132

Get alerts for this source

We'll email you when Italy ACN News alt publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!