Notepad++ CVE-2026-3008 Format String Injection Vulnerability and POC

CVE-2026-3008: Summary of Format String Injection Vulnerability in Notepad++ Vulnerability Overview Vulnerability ID: CVE-2026-3008 Vulnerability Type: Format String Injection Trigger Component: (Language Pack File) Root Cause: When parsing search results, Notepad++ directly uses user-controllable XML attribute values as the format string argument for the function, rather than as data arguments. Attackers can trigger the vulnerability by constructing an XML file containing placeholders. Impact Scope Affected Product: Notepad++ Affected Versions: 8.9.3 (x64, both installer and portable versions) Attack Vector: Malicious language pack ( ) Impact: 1. Reliable Crash (DoS): Using placeholders such as leads to access violations. 2. Information Disclosure: Using and placeholders allows leakage of stack and register contents. Remediation Status: CVE ID assigned. Timeline: 2026-04-09: Vulnerability confirmed (crash and information disclosure). 2026-04-10: Identified that has a 1024-character output limit. 2026-04-10: Vulnerability reported to CSA (Notepad++ Security Team). 2026-04-16: CSA contacted the Notepad++ team. 2026-04-27: CVE-2026-3008 officially assigned. POC Code (Exploit Code) 1. Constructing the malicious file: 2. Deployment and Exploitation Steps: 1. Save the above file as . 2. Place it in the following location: Portable Version: Installer Version: 3. Open Notepad++ and search for any text. 4. Click "Find All in Current Document"**. 5. The program will crash immediately.

Goal Reached Thanks to every supporter — we hit 100%!

Notepad++ CVE-2026-3008 Format String Injection Vulnerability and POC