Notepad++ has shipped version 8.9.3, a maintenance-focused release that closes a notable security gap in its updater, resolves several long-standing stability regressions, and finishes a multi-release migration to a faster XML parser. For administrators and power users who depend on the editor for daily development work, this update is worth prompt attention: it contains both a security remediation and a set of usability and reliability improvements that reduce operational risk.
What changed — the security story
The most consequential item in v8.9.3 is a security hardening in the auto-update subsystem. Notepad++’s WinGUp component now embeds an updated cURL library (v8.19.0) to address CVE-2025-14819. This patch reduces the attack surface for man-in-the-middle or update delivery attacks that could target the updater. Separately, the team fixed a regression where plugin installation or removal could inadvertently relaunch Notepad++ with permanent administrative privileges — a scenario that risked privilege escalation during routine plugin management. Both fixes matter for users who install third-party plugins or operate in environments where update integrity and least-privilege operation are critical.
Preserved summary table from the original release notes
| Vulnerability / Issue | Component Affected | Resolution |
|---|---|---|
| CVE-2025-14819 | WinGUp Auto-Updater | Updated embedded cURL to v8.19.0 |
| Admin Privilege Bug | Plugin Manager | Prevented permanent admin rights upon N++ restart |
| MITM Update Failure | Network / Updater | Fixed plugin and update downloads behind corporate proxies |
Core upgrades and stability fixes
This release completes Notepad++’s migration from TinyXML to the pugixml parser, a move intended to speed up reading and writing of configuration files and reduce subtle parsing regressions. Alongside that structural change, core components were updated: Scintilla is now at 5.6.0 and Lexilla at 5.4.7. The engineering team also addressed several crash and rendering issues that had impacted reliability:
- Printing no longer triggers an application crash.
- User Defined Languages (UDL) related fatal errors have been fixed.
- A memory leak that occurred on application exit has been closed, improving long-running session stability.
- Localized Workspace text regressions and incorrect text display for non-UTF8 documents were corrected.
Enterprise and portability improvements
Recognizing the needs of IT teams managing Notepad++ at scale, the release adds explicit enterprise controls and safety nets:
- disableNppAutoUpdate.xml: a facility allowing administrators to permanently disable auto-updates even if WinGUp is present. This makes it easier to manage update policies in locked-down or air-gapped environments.
- Protection for portable packages: the update process now avoids overwriting XML configuration files when administrators update portable installations via copy-and-paste, preserving custom settings during rollouts.
- Improved updater behavior behind corporate proxies: previously, some plugin and update downloads failed under certain proxy configurations; those scenarios have been mitigated.
Usability and language support improvements
Beyond security and stability, v8.9.3 includes smaller but meaningful quality-of-life fixes and feature additions:
- Resolved an issue where “Find in Files” would fail to search file content that was already on disk.
- Eliminated redundant Windows Explorer processes that previously appeared in Task Manager.
- Added native autocompletion and Function List support for the D programming language, broadening the editor’s usefulness for developers working in that ecosystem.
What you should do next
- Update promptly: Users who rely on Notepad++ should upgrade to v8.9.3 to obtain the cURL-related security fix and the privilege regression patch.
- Enterprise policy: If you manage Notepad++ across many machines, consider deploying disableNppAutoUpdate.xml as part of your configuration baseline and test portable update procedures before rolling them out widely.
- Plugin hygiene: Audit installed plugins and avoid elevating privileges during plugin management. Encourage users to obtain plugins from trusted sources and to apply updates through sanctioned processes.
- Testing: Validate printing workflows, UDLs, and non-UTF8 file handling if your teams depend on those features, since several of the fixes in this release touch those areas.
Why this matters
Notepad++ remains a ubiquitous tool for many developers, sysadmins, and power users. Small regressions or updater vulnerabilities can ripple into larger operational issues when widely deployed. Version 8.9.3 is a reminder that even mature open-source projects require continuous maintenance and that administrators should treat tool updates as part of routine security hygiene.
Closing thoughts
The v8.9.3 release is a solid, pragmatic update: it neutralizes a specific CVE, repairs regressions introduced during prior transitions, and adds controls that make enterprise management more predictable. For most users, the path forward is straightforward — upgrade, validate, and incorporate the new enterprise options into your deployment playbook.
Licensed under CC BY-ND 4.0 International
Citrix Warns: Patch NetScaler ADC and Gateway Flaws Immediately
Citrix has released urgent security updates for NetScaler ADC and NetScaler Gateway…
Kali Linux 2026.1 Arrives — New Tools, NetHunter Breakthroughs, and a Nostalgic BackTrack Mode
Kali Linux’s first major release of 2026 lands with a mix of…
Oracle Issues Urgent Security Update for Critical RCE in Identity Manager and Web Services Manager
Oracle has released an out-of-band security alert to address a critical remote…
Chrome Security Update Fixes 26 Vulnerabilities That Could Allow Remote Code Execution
Google’s latest Chrome security update is a reminder that even the world’s…