Vulnerabilities in Notepad ++ (Sept. 2023)

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,696
Several vulnerabilities (CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) are believed to exist in the popular Notepad ++ editor and have been reported to the developer by a security researcher. The vulnerability ratings range from medium to high. Although this report was made several months ago, there is no security update for Notepad ++ yet, although several product updates have been made in the meantime. When an update will be available is currently open.
Although the developer released product updates, the vulnerabilities were not closed. In addition, the developer stated that Notepad v8.5.4 could not be compiled with AddressSanitizer (ASAN) as a security option. In July 2023, it was confirmed that v8.5.4 could be compiled with ASAN. However, the developer has released further Notepad++ updates without fixing the reported vulnerabilities.

After the problems were pointed out to the developer several times, he was sent a proof of concept in binary format (instead of as a Python script). There has been no reaction so far, although further updates of notepad ++ have been made. The security researcher then published his findings on August 21, 2023. When an update to fix the vulnerabilities will come is still unclear. However, there is this 2-day-old comment from the developer that he has accepted the request to fix the vulnerability – the publication of the vulnerabilities seems to have worked.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,696
Notepad++ v8.5.7 Release (Vulnerability fixes)
Notepad++ v8.5.7 release: Vulnerability fixes | Notepad++

Notepad++ v8.5.7 Change log:

  1. Fix 4 security issues CVE-2023-40031, CVE-2023-40036, CVE-2023-40164 & CVE-2023-40166. (Fix #14073 )
  2. Security enhancement: Sign uninstall.exe. (Fix #14099 )
  3. Change the slogan in installer. (Fix #14052 )
  4. Fix eventual memory leak while reading Utf8-16 files. (Fix #4120 , #5806 , #4443 )
  5. Fix dragging tab performance issue while Document List is displayed. (Fix #13479 , #12632 )
  6. Add supperss 2GB file warning option for x64. (Fix #14055 )
  7. Fix cloned document disassociated issue after Notepad++ being relaunched. (Fix #10266 )
  8. Fix session file saving problem if it’s read-only. (Fix #14024 , #13894 , #13859 )
  9. Fix activating wrong file(s) issue after loading session file. (Fix #14006 )
  10. Fix product version value displayed in file’s properties. (Fix #14010 , #11886 , #11431 )
Please report here if you find any regression and critical bug. For other issues please post to General Discussion or other topics.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,696
Notepad++ v8.6: 20th-Year Anniversary
Notepad++ v8.6.0 release notes:

Today, Notepad++ celebrates its 20th anniversary, marking two decades of evolution from the inaugural v1.0 release on SourceForge in 2003 to the current v8.6, encompassing 238 official releases. Reflecting on the early days, Don Ho - the creator and lead developer - recalls the solitary journey of coding, web design, marketing, and more, likening open-source projects to a solo endeavor on a deserted island.

Notepad++ v8.6.0 changelog:
  • Multi-edit is fully supported in Notepad++. (Fix #14266, #8203)
  • Make multi-select background & caret colours customizable. (Fix #14302)
  • Make session inaccessible files remembered (empty & read-only document as placeholder). (Fix #12079, #12744, #13696)
  • Fix missing session invalid error for user session & enhance API NPPM_GETNBSESSIONFILES. (Fix #14228)
  • Fix network shared files saving regression. (Fix #14300)
  • Update Scintilla to v5.3.8 & Lexilla to v5.2.8. (Fix #13442, #14188, #14288)
  • Fix docking panel crash due to messing up config.xml. (Fix bug report
  • Fix invalid styler.xml making Notepad++ crash issue. (Fix #12101)
  • Fix tab-closing crash by middle mouse button (unexpected mouse position). (Fix #14328)
  • Fix 2 performance issues in Style Configurator. (Fix #14321)
  • Add 3 line operation (delete, copy & cut) shortcuts. (Fix #14296)
  • Display extra info in the status bar of Find/Replace dialog to avoid PEBKAC. (Fix #14307)
  • Fix “Hide lines” command hiding unselected lines issue. (Fix #14166)
  • Fix silent installer mode when Notepad++ is running issue. (Fix #10189, #10277, #22514, #14236, fix partially #8514)
  • Fix Updater’s vulnerability (update cURL in WinGUp for fixing CVE-2023-38545). (Fix WinGUp issue #50)
  • Fix incoherent behaviour of “Duplicate Current Line” menu command. (Fix #5298)
  • Fix JSON5 not using JSON keywords. (Fix #14205)
  • Fix empty message showing while cancelling session file saving dialog. (Fix #14235)
 
Last edited:

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,696
Notepad++ v8.6.5 release
2024-03-30

To address a performance issue of “Replace All” in previous version 8.6.4, Notepad++ no longer triggers SCN_MODIFIED and other Scintilla notifications during the “Replace All” action. Consequently, some plugins that rely on Scintilla’s notifications may malfunction after a “Replace All” operation. To rectify this regression, a new notification called NPPN_GLOBALMODIFIED has been implemented in Notepad++ v8.6.5. Plugin developers should monitor NPPN_GLOBALMODIFIED alongside SCN_MODIFIED, if SCN_MODIFIED is already monitored in the plugin. For additional information about NPPN_GLOBALMODIFIED, please refer to this link: New NPPN_GLOBALMODIFIED notification

The session loss problem and the data loss due to the power outages issue are also addressed in this release.

There are more enhancements & bug-fixes. Get more info about this release or download v8.6.5 here: Download Notepad++ v8.6.5 | Notepad++
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,696
Notepad++ v8.6.6 release
Notepad++ release 8.6.6 change log:
  1. Update to scintilla 5.5.0 & Lexilla 5.3.2. (Merge #15042 )
  2. Fix crash when crossing the 2GB file size threshold. (Fix #14944 , #14981 )
  3. Fix a performance issue due to URL recognition. (Fix #13916 )
  4. Update to nlohman json 3.11.3. (Merge #15041 )
  5. Fix multi-edit resists escape after typing issue. (Fix #14649 )
  6. Make F3 & Shift-F3 work in Find Replace dialog. (Fix #2138 )
  7. Allow Ctrl-TAB to switch tabs in FindReplace, PluginAdmin and UDL dialogs. (Fix #7932 , #14975 )
  8. Add programming language support for Go & Raku(Perl 6). (Fix #8090 , #4465 )
  9. Fix user defined auto-insert not working issue. (Fix #3171 , #8063 , #12547 , #14831 )
  10. Enhance GUI: resize checkboxes/radio buttons as text length needs. (Fix #15006 )
  11. Enhance GUI: make sizing arrows more coherent in Find dialog. (Fix #15099 )
  12. Fix URL enclosed in apostrophes or backtick not working issue. (Fix #14978 , #14323 , #14212 )
  13. Fix wrong dropped file view issue. (Fix #14951 )
  14. Fix Korean(한)/English(영) key not working regression. (Fix #14400 , #14973 )
  15. Fix the tab labels of some dialogs being cut in Dark mode. (Fix #11012 )
  16. Fix close button disappeared issue in Find Replace dialog. (Fix #14940 )
  17. Apply dark theme to checkbox buttons on Windows 11. (Fix #14929 )
  18. Fix menu bar cluttered in Dark Mode issue. (Fix #10130 )
  19. Fix Debug Info minor display regression. (Fix #14921 )
  20. Enhance Lua language syntax highlighting. (Fix #7615 , #15081 )
  21. Improve the function list support for Ada. (Fix #14908 , #14687 , #14498 )
Auto-update will be triggered in one week if no critical issue found.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,696
Notepad++ v8.6.7 Release
Notepad++ release 8.6.7 change log:
  1. Fix regression of multi-edit cursors placed wrongly issue. (Fix #15126 )
  2. Fix multi-editing not showing multiple cursors in dark mode. (Fix #15075 )
  3. Add auto-completion for Go & Raku, function list for Raku. (Implement #15128 )
  4. Fix symbol ‘&’ not showing in Document Switcher. (Fix #15117 )
  5. Allow syntax highlighting for custom tags in HTML. (Fix #15093 )
  6. Fix dialogs out of screen problem. (Fix #11240 , #14913 )
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top