15 CVEs

1 in CISA KEV

notepad-plus-plus Vulnerabilities

CVE security advisories and vulnerability history for notepad-plus-plus.

15

Total CVEs

Published

1

In CISA KEV

Exploited in the wild

8

Public exploits

With known exploit

6.4

Avg CVSS

2017–2026

Overview

notepad-plus-plus has 15 published CVE records since 2017, of which 1 are in CISA's Known Exploited Vulnerabilities catalog and 8 have a known public exploit. The average CVSS base score across scored CVEs is 6.4.

This page aggregates every publicly disclosed vulnerability (CVE) affecting notepad-plus-plus products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of notepad-plus-plus's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical0

High5

Medium7

Low0

3 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

1

One of notepad-plus-plus's CVEs is confirmed exploited in the wild.

Public exploits

8

8 of notepad-plus-plus's CVEs have a known public exploit available.

Most affected products

The notepad-plus-plus products with the most published CVEs.

notepad\+\+14 CVEs
notepad-plus-plus13 CVEs
Notepad++2 CVEs
hex editor1 CVEs
scintilla1 CVEs

Common weakness types

The CWE weakness categories most often found in notepad-plus-plus CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish notepad-plus-plus CVE records.

Disclosure activity by year

How many notepad-plus-plus CVEs were published each year.

2017

1

2019

1

2022

1

2023

8

2025

1

2026

3

Latest notepad-plus-plus CVEs

The most recently disclosed vulnerabilities affecting notepad-plus-plus.

Notepad++ 8.9.3 Format String Injection via nativeLang.xml
CWE-134
Medium · CVSS 4.6
EPSS 0.0%2026-04-30
Notepad++ has an Untrusted Search Path
CWE-426
High · CVSS 7.3
EPSS 0.0%2026-02-18
Notepad++ < 8.8.9 WinGUp Updater Lacks Update Integrity Verification
CISA KEV
CWE-494
High · CVSS 7.7
EPSS 6.1%2026-02-03
Notepad++ Privilege Escalation in Installer via Uncontrolled Executable Search Path
CWE-276
High · CVSS 7.3
EPSS 0.1%2025-06-23
Medium vulnerability · 2023-11-30
CWE-427
Medium · CVSS 5.3
EPSS 0.0%2023-11-30
Vulnerability vulnerability · 2023-11-30
Unscored
EPSS 0.1%2023-11-30
Notepad++ heap buffer read overflow in FileManager::detectLanguageFromTextBegining
CWE-120
Medium · CVSS 5.5
EPSS 0.1%2023-08-25
Medium vulnerability · 2023-08-25
CWE-120
Medium · CVSS 5.5
EPSS 0.1%2023-08-25
Notepad++ global buffer read overflow in CharDistributionAnalysis::HandleOneChar
CWE-120
Medium · CVSS 5.5
EPSS 0.1%2023-08-25
High vulnerability · 2023-08-25
CWE-120
High · CVSS 7.8
EPSS 0.4%2023-08-25
Medium vulnerability · 2023-02-01
CWE-787
Medium · CVSS 5.5
EPSS 0.2%2023-02-01
Medium vulnerability · 2023-01-19
CWE-787
Medium · CVSS 6.5
EPSS 0.4%2023-01-19

Track new notepad-plus-plus CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor notepad-plus-plus CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

microsoft24,097 CVEs Linux19,131 CVEs google14,281 CVEs apple14,019 CVEs oracle10,440 CVEs debian10,201 CVEs IBM8,265 CVEs Adobe7,222 CVEs

Browse all vendors

Frequently asked questions

Common questions about notepad-plus-plus vulnerabilities.

How many CVEs does notepad-plus-plus have?

notepad-plus-plus has 15 published CVE records since 2017, including 4 in the last two years.

How many notepad-plus-plus CVEs are in CISA KEV?

Yes — 1 of notepad-plus-plus's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which notepad-plus-plus products have the most CVEs?

The notepad-plus-plus products with the most published CVEs are notepad\+\+, notepad-plus-plus, Notepad++, hex editor, scintilla.

What are the most common weakness types in notepad-plus-plus CVEs?

notepad-plus-plus's CVEs most often map to these CWE weakness types: CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')), CWE-427 (Uncontrolled Search Path Element), CWE-787 (Out-of-bounds Write), CWE-494 (Download of Code Without Integrity Check).

Are there public exploits for notepad-plus-plus vulnerabilities?

Yes — 8 of notepad-plus-plus's CVEs have a known public exploit.

What is the average severity of notepad-plus-plus CVEs?

The average CVSS base score across notepad-plus-plus's scored CVEs is 6.4.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track notepad-plus-plus vulnerabilities

Monitor new notepad-plus-plus vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing