Notepad++ v8.9.2 new security enhancements, feature, regression fix & bug-fix:

• Security enhancement: Make updater check interity & authenticity of server-returned XML (XMLDsig). (Implement #17441)
• Security enhancement: Fix untrusted search path vulnerability by launching explorer.exe (Fix CVE-2026-25926)
• Security enhancement: Make auto-updater (WinGUp) even more secured. (Remove unsecured options, remove dll dependency, launch only signed program for plugin management)
• Fix a plugin installation crash due to incorrect processing catch. (Fix #issue)
• Add redact selection feature - Default: █, Modifier (Shift + Click): ●. (Fix #17363)
• Fix context menu shortcut localization not aligning to the right regression. (Fix #17467)

Notepad++ v8.9.1 new security enhancement, features, regression fixes & bug-fixes:

• Fix EOL duplication regression when playing back old recorded macros. (Fix issue)
• Remedy search failure for pasted text containing trailing invisible EOL character. (Fix #17124, #17187)
• Fix customized context menu regression where separator (id=“0”) escapes FolderName submenu. (Fix #17342)
• Fix issue where a single undo reverted multiple changes after macro execution. (Fix #9426)
• Fix visual glitch when dragging dockable dialogs on a 2nd monitor. (Fix #16805, #16155, #16077)
• Fix inconsistent automatic search mode switching (RegEx to Extended) in Find dialog. (Fix #17227)
• Fix incorrect URL parsing caused by Unicode special spaces. (Fix #16856)
• Update to Boost 1.90.0. (Implement #17326)
• Improve update themes feature: fix JavaScript.js edge case. (Fix issue)
• Update javascript.js to better match javascript (embedded) in all themes. (Fix issue, report)
• Function List: enhance for Perl & PHP; add for Nim. (Fix #17382, #17327, implement #17377)
• Fix comments and highlighting in TCL. (Fix #17315)
• Update perl syntax highliging keywords and autocomplete for 5.42. (Fix #17332)
• Improvement: display Find dialog status message with invisible characters warning. (Fix #17345)

From here:

Some security experts recently reported incidents of traffic hijacking affecting Notepad++. According to the investigation, traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables.

The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary). To mitigate this weakness and address the hijacking’s concerns raised by the security researchers, a new security enhancement is being introduced in this release of Notepad++.

Mitigation: Starting with this release, Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers during the update process. If verification fails, the update will be aborted.

Status: The investigation is ongoing to determine the exact method of traffic hijacking. Users will be informed once tangible evidence regarding the cause is established.

---

Note that starting with v8.8.7, Notepad++ binaries - including the installer - are digitally signed using a legitimate certificate issued by GlobalSign. As a result, Installation of the Notepad++ root certificate is no longer required. We recommend that users who have previously installed the root certificate remove it.

• Make installation and updates easy & quiet by adding “Yes (Silent)” button. (Fix #8514)
• Add new options ‘/closeRunningNpp’ & ‘/runNppAfterSilentInstall’ in the installer. (Implement #15230, implement #15280)
• Fix crash of “Next Search Result” command on the empty search result. (Fix #15247)
• Fix the regression where the Find dialog size is not remembered across sessions. (Fix #15294)
• Fix the regression of content lost by using Encoding “Convert to…” commands. (Fix #15324, #15271, #3054, possibly #9426)
• Fix the regression of exception/crash on Windows Server Core 2022. (Fix #15313)
• Prevent DirectWrite from being enabled under Windows Server. (commit)
• Enhance the quality of Fluent toolbar icon sets for different DPI settings. (Fix #15253)
• Improve the look & feel of tabbar close button in dark mode. (Fix #15321, implement #15326)
• Improve the dark mode tab bar icon in the search results panel. (Implement #15286)
• Add ability to pre-populate the predefined color sets for custom tones. (Fix #15055)
• Add “Show All Character” popup menu on toolbar button. (Fix #14832)
• Fix the rectangular selection copy-paste bug. (Fix #15139, #15151)
• Allow opening shortcut files (*.lnk) directly if the file extension is changed. (Fix #9643, #11089, #10139)
• Fix the lost panels issue. (Fix #13084)
• Add Backspace unindent option. (Fix #15180)
• Fix CSS more indentation bug. (Fix #14962)
• Include F13-F24 keys in Shortcut Mapper. (Fix #11975)
• Fix the problem where the last empty clean untitled tab cannot be closed after renaming. (Fix #15306)
• Add plugin a command (NPPM_SETUNTITLEDNAME) to rename untitled tab. (Fix #8916)
• Display a message box with information about disabled backward regex searching. (Fix #15239)
• Fix the display glitch for unsaved tabs containing tab characters. (Fix #15202)
• Fix status bar and tab bar flicker during the GUI updated (fixed only for dark mode). (Fix #15260)
• Fix the issue with “Begin/End Select” command after deletion. (Fix #15221)
• Resolve the integer overflow problem in the Column Editor. (Fix #15167)
• Adjust the position of hits text in the File Progress dialog. (Fix #13426, #15244)
• Fix the deployment of other software blocked due to NppShell. (Fix #62)

In this release, we’ve addressed a crash and resolved a performance issue. Additionally, we’ve introduced two new programming languages: Go and Raku.

Alongside these updates, you’ll find various enhancements and bug fixes:

1. Update to scintilla 5.5.0 & Lexilla 5.3.2. (Merge #15042)
2. Fix crash when crossing the 2GB file size threshold. (Fix #14944, #14981)
3. Fix a performance issue due to URL recognition. (Fix #13916)
4. Update to nlohman json 3.11.3. (Merge #15041)
5. Fix multi-edit resists escape after typing issue. (Fix #14649)
6. Make F3 & Shift-F3 work in Find Replace dialog. (Fix #2138)
7. Allow Ctrl-TAB to switch tabs in FindReplace, PluginAdmin and UDL dialogs. (Fix #7932, #14975)
8. Add programming language support for Go & Raku(Perl 6). (Fix #8090, #4465)
9. Fix user defined auto-insert not working issue. (Fix #3171, #8063, #12547, #14831)
10. Enhance GUI: resize checkboxes/radio buttons as text length needs. (Fix #15006)
11. Enhance GUI: make sizing arrows more coherent in Find dialog. (Fix #15099)
12. Fix URL enclosed in apostrophes or backtick not working issue. (Fix #14978, #14323, #14212)
13. Fix wrong dropped file view issue. (Fix #14951)
14. Fix Korean(한)/English(영) key not working regression. (Fix #14400, #14973)
15. Fix the tab labels of some dialogs being cut in Dark mode. (Fix #11012)
16. Fix close button disappeared issue in Find Replace dialog. (Fix #14940)
17. Apply dark theme to checkbox buttons on Windows 11. (Fix #14929)
18. Fix menu bar cluttered in Dark Mode issue. (Fix #10130)
19. Fix Debug Info minor display regression. (Fix #14921)
20. Enhance Lua language syntax highlighting. (Fix #7615, #15081)
21. Improve the function list support for Ada. (Fix #14908, #14687, #14498)

The Notepad++ project is seeking the public's help in taking down a copycat website that closely impersonates Notepad++ but is not affiliated with the project. There is some concern that it could pose security threats—for example, if it starts pushing malicious releases or spam someday either deliberately or as a result of a hijack.

• Fix “Replace All” action not notifying plugins of modification regression by adding NPPN_GLOBALMODIFIED.
• Fix plugins not receiving some Scintilla notification types regression.
• Fix Shortcut Mapper pontential crash problem.
• Fix period backup pontential crash due to the dead lock.
• Fix NUL characters file corruption after power outrages.
• Remedy losing session problem after the power outrages.
• Fix URLs are not detected after a “Replace All” regression.
• Notify user while saving failure due to hardware problem.
• Update to scintilla 5.4.3 (from 5.4.1) & Lexilla 5.3.1.
• Support template literal (template strings) in JavaScript & make back-quoted strings more readable.
• Add support for Change History in the text, besides in the margin. Also, make Change History color configurable.
• Fix NPPM_RELOADFILE API return wrong result issue.
• Enhance Shortcut Mapper filter to find the command items more easily.
• Prevent typing control characters into document & make it optional.
• Fix possible no-GUI state when using systray.
• Make context menu popup location at current text position when invoked via keyboard.
• Fix Notepad++ blocked when closed minimized or from systray.
• Fix Mouse Wheel Scrolling in Shortcut Mapper & reduce also the memory use.
• Fix Python wrong decorator attribute colors & add “ATTRIBUTE” color in styles.xml.model.

In Notepad++ version 8.6.3, a regression was identified and subsequently fixed. When two documents are displayed side by side, clicking into the unfocused content no longer activates it as the current document. This regression has been resolved in version 8.6.4. We apologize for any inconvenience caused.

When I copy some long string like json from a debugger, and want to look at it properly formatted it starts off encoded with /n and /t characters, etc.

I usually go:

• Replace (Normal) /n -> qqqq
• Replace (Extended) qqqq -> /n

Is there some trick to do this in one step?