CVE-2026-5525 | Notepad++ up to 8.9.3 File Drop stack-based overflow

VDB-356803 · CVE-2026-5525 · GCVE-0-2026-5525 NOTEPAD++ UP TO 8.9.3 FILE DROP STACK-BASED OVERFLOW HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.1 $0-$5k 1.88 Summaryinfo A vulnerability classified as critical has been found in Notepad++ up to 8.9.3. The impacted element is an unknown function of the component File Drop Handler. This manipulation causes stack-based overflow. This vulnerability appears as CVE-2026-5525. The attack requires local access. There is no available exploit. It is recommended to upgrade the affected component. Detailsinfo A vulnerability was found in Notepad++ up to 8.9.3. It has been declared as critical. Affected by this vulnerability is some unknown processing of the component File Drop Handler. The manipulation with an unknown input leads to a stack-based overflow vulnerability. The CWE definition for the vulnerability is CWE-121. A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is: A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checking, resulting in a stack buffer overflow and application crash (STATUS_STACK_BUFFER_OVERRUN). It is possible to read the advisory at github.com. This vulnerability is known as CVE-2026-5525 since 04/04/2026. The exploitation appears to be difficult. Attacking locally is a requirement. The technical details are unknown and an exploit is not publicly available. Upgrading to version 8.9.4 eliminates this vulnerability. Productinfo Type Document Reader Software Name Notepad++ Version 8.9.0 8.9.1 8.9.2 8.9.3 CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.2 VulDB Meta Temp Score: 5.1 VulDB Base Score: 4.5 VulDB Temp Score: 4.3 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 6.0 CNA Vector (securin): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Stack-based overflow CWE: CWE-121 / CWE-119 CAPEC: 🔒 ATT&CK: 🔒 Physical: Partially Local: Yes Remote: Partially Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: Notepad++ 8.9.4 Timelineinfo 04/04/2026 CVE reserved 04/10/2026 +6 days Advisory disclosed 04/10/2026 +0 days VulDB entry created 04/10/2026 +0 days VulDB entry last update Sourcesinfo Advisory: github.com Status: Confirmed CVE: CVE-2026-5525 (🔒) GCVE (CVE): GCVE-0-2026-5525 GCVE (VulDB): GCVE-100-356803 Entryinfo Created: 04/10/2026 10:20 Changes: 04/10/2026 10:20 (64) Complete: 🔍 Cache ID: 99:BD6:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸