Changeflow GovPing Data Privacy & Cybersecurity Notepad++ CVE-2026-3008 PoC Released, CVSS 10 S...
Priority review Notice Added Final

Notepad++ CVE-2026-3008 PoC Released, CVSS 10 String Injection

Favicon for www.csirt.gov.it Italy CSIRT Advisories
Published
Detected
Email

Summary

Italy's CSIRT published alert AL01/260427/CSIRT-ITA on April 27, 2026, advising that a public Proof of Concept (PoC) exploit is available for CVE-2026-3008, a critical string injection vulnerability in Notepad++ 8.9.3. The flaw, rated CVSS v4.0 score of 10, resides in the "Find Results" panel's handling of localized strings from the nativeLang.xml file — the application passes a user-controllable string directly to Windows wsprintfW as a format string without variadic parameters, allowing an attacker to read process stack/register data or crash the application. Notepad++ had already released version 8.9.4 as a fix.

Why this matters

Organizations should audit their Windows endpoint populations for Notepad++ 8.9.3 installations. While the nominal attack path requires an attacker to already have write access to nativeLang.xml (e.g., via a malicious language pack), the CVSS 10 severity and public PoC make this a priority patch. Security teams should also consider whether endpoint management tools can enforce version baselines on portable or user-installed Notepad++ instances, which often escape standard software deployment controls.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by CSIRT-ITA on acn.gov.it . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Italy CSIRT Advisories for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 21 changes logged to date.

View original document View source feed page
Notice an inaccuracy or want this record removed? Email corrections@changeflow.com . We respond within 48 hours and honor reasonable requests. See our editorial standards .

What changed

The CSIRT advisory formally notifies Italian entities of a publicly available PoC for CVE-2026-3008, a string injection vulnerability in Notepad++ 8.9.3. The technical description details how the nativeLang.xml file's attribute is used as a format string in wsprintfW without variadic arguments, enabling arbitrary format specifiers (%s, %08lx) to leak stack and register contents or cause a denial of service. The vendor has already patched the issue in Notepad++ version 8.9.4.

Affected parties running Notepad++ 8.9.3 on Windows systems should immediately update to the latest stable version. Organizations using Notepad++ in environments where untrusted language packs could be distributed should treat any non-official nativeLang.xml with caution, as the attack vector involves deploying a modified language pack.

Archived snapshot

Apr 28, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Notepad++: PoC pubblico per lo sfruttamento della CVE-2026-3008

**
Alert**

AL01/260427/CSIRT-ITA

Condividi
- Facebook
- Twitter
- LinkedIn
- Whatsapp

Sintesi

Disponibile un Proof of Concept (PoC) per la CVE-2026-3008 – già sanata dal vendor – presente nel software “Notepad++”, noto editor di testo avanzato per Windows. Tale vulnerabilità, qualora sfruttata, potrebbe consentire ad un utente malintenzionato di compromettere la disponibilità del servizio o accedere a informazioni sensibili presenti nei registri e nello stack del processo Notepad++ in esecuzione sul sistema locale.

Tipologia

  • Denial of Service
  • Information Disclosure

Descrizione e potenziali impatti

La vulnerabilità, tracciata tramite la CVE-2026-3008 – di tipo “ String Injection ” e con CVSS v4.0 pari a 10 – interessa il pannello “Find Results” di Notepad++ 8.9.3 e in particolare la gestione delle stringhe localizzate provenienti dal file nativeLang.xml. Nel dettaglio, il problema risiede nelle modalità con cui Notepad++ inizializza il pannello dei risultati di ricerca: durante la formattazione dell’etichetta che indica il numero di risultati trovati, l’applicazione recupera il valore dell’attributo dal file nativeLang.xml e lo utilizza direttamente come stringa di formato in una chiamata alla funzione Windows wsprintfW, senza alcuna validazione preventiva e senza fornire parametri variadici [1] aggiuntivi. Poiché wsprintfW interpreta i caratteri di formato presenti nella stringa, un attaccante che abbia la possibilità di manipolare il file nativeLang.xml (ad esempio distribuendo un language pack apparentemente legittimo ma alterato) può inserire specificatori come %s o %08lx, al fine di compromettere la disponibilità del servizio o accedere a informazioni sensibili presenti nei registri e nello stack del processo Notepad++ in esecuzione sul sistema locale.

Prodotti e versioni affette

  • Notepad++, versione 8.9.3

Azioni di mitigazione

Ove non provveduto, si raccomanda di aggiornare tempestivamente le release vulnerabili all’ultima versione stabile disponibile.

[1] I parametri variadici sono gli argomenti che una funzione di formattazione utilizza per sostituire gli specificatori presenti nella stringa di formato. Nel caso della CVE‑2026‑3008, Notepad++ invoca wsprintfW passando una stringa controllabile come format string senza fornire i corrispondenti parametri variadici, causando l’interpretazione di dati residui nei registri e nello stack

CVE (1)

Cerca:
| CVE | POC | EXPLOITATION |
| --- | --- | --- |
| CVE-2026-3008 | Presente | - |

Riferimenti (3)

  1. https://nvd.nist.gov/vuln/detail/cve-2026-3008
  2. https://community.notepad-plus-plus.org/topic/27500/notepad-v8-9-4-release-candidate
  3. https://notepad-plus-plus.org/downloads

Change log

Versione Note Data
1.0 Pubblicato il 27-04-2026 27/04/2026

Impatto sistemico

Critico (79.48)

Argomenti

Data pubblicazione

27/04/26 ore 13:33

Data Ultimo Aggiornamento

27/04/26 ore 13:33

Related changes

Favicon for www.acn.gov.it Italy ACN Publishes Critical Notepad++ CVE-2026-3008 Alert With Public PoC
Priority review Apr 27, 2026 Italy ACN News alt Data Privacy & Cybersecurity
Favicon for www.csirt.gov.it Samsung MagicINFO CVE-2025-4632 Critical Vulnerability Active Exploitation
Urgent Apr 27, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity
Favicon for www.acn.gov.it Rclone Vulnerabilities CVE-2026-41176 and CVE-2026-41179: PoC Exploits Released
Urgent Apr 27, 2026 Italy ACN News alt Data Privacy & Cybersecurity

Get daily alerts for Italy CSIRT Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.csirt.gov.it
Italy CSIRT Advisories csirt.gov.it/contenuti
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CSIRT-ITA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CSIRT-ITA
Published
April 27th, 2026
Instrument
Notice
Branch
Executive
Source language
it
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Government agencies Manufacturers
Industry sector
5112 Software & Technology
Activity scope
Vulnerability disclosure Patch management Software updates
Geographic scope
Italy IT

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Consumer Protection

Browse Categories

Agriculture & Food Safety 84 Banking & Finance 500 Consumer Protection 140 Courts & Legal 632 Data Privacy & Cybersecurity 147 Defense & National Security 52 Education 63 Energy 135 Environment 168 Government & Legislation 520 Healthcare & Life Sciences 415 Immigration 11 Insurance 90 Labor & Employment 195 Real Estate & Housing 76 Securities & Markets 175 Tax 116 Telecom & Technology 59 Trade & Sanctions 164 Transportation 131

Get alerts for this source

We'll email you when Italy CSIRT Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!