Notepad++ v8.9.3 is out with updater security hardening, crash fixes, and XML parser changes

Home » News
Yash Shield
News
Reading time icon 3 min. read

Calendar icon Published on

Notepad++ has released version 8.9.3, and this is a meaningful maintenance update rather than a minor point release. It fixes a User Defined Language crash, resolves a plugin-related admin privilege regression, improves updater behavior behind corporate MITM proxies, and moves the app further toward a faster XML parsing stack.

One of the headline changes is in the updater. The Notepad++ team says v8.9.3 updates cURL to 8.19.0 in the auto-updater component WinGUp to address a cURL security issue tied to CVE-2025-14819.

There is an important nuance here. The curl project’s own advisory says CVE-2025-14819 affected curl versions 7.87.0 through 8.17.0 and was fixed starting in curl 8.18.0, while curl 8.19.0 itself has no published security vulnerabilities. So Notepad++ is clearly moving to a newer safe curl build, but the underlying CVE had already been fixed upstream before 8.19.0 shipped.

What changed in Notepad++ v8.9.3

The most notable user-facing fix may be the plugin privilege issue. Notepad++ says installing or removing a plugin could reopen the editor with permanent admin privilege, and v8.9.3 fixes that regression.

The release also fixes a crash in User Defined Language handling and another long-running issue where printing could crash the editor. On top of that, the team fixed a memory leak on exit and corrected Find in Files behavior when searching file content on disk.

Performance and internal structure also got attention. Notepad++ says it migrated the XML parser from TinyXML to pugixml for better performance, and the build now includes Scintilla 5.6.0 and Lexilla 5.4.7.

Enterprise and admin improvements

This release adds disableNppAutoUpdate.xml, which gives administrators a way to disable auto-update even when WinGUp is present. That gives IT teams more direct control in managed environments where central patching matters more than end-user updating.

Notepad++ also says it fixed update and plugin download failures behind corporate MITM proxies. That is a practical change for enterprise setups that inspect HTTPS traffic through internal security gateways.

Portable users also get a safeguard here. The release notes say v8.9.3 prevents XML config files from being overwritten during portable package updates done with copy and paste, which should reduce accidental config loss.

Key fixes at a glance

  • Fixes a crash in User Defined Language.
  • Fixes the plugin install or removal issue that could relaunch Notepad++ with permanent admin privilege.
  • Updates cURL to 8.19.0 in WinGUp.
  • Fixes updater and plugin downloads behind corporate MITM proxies.
  • Migrates XML parsing from TinyXML to pugixml for performance.
  • Updates Scintilla to 5.6.0 and Lexilla to 5.4.7.
  • Fixes print-related crashes, memory leak on exit, and Find in Files issues.

Quick breakdown

AreaWhat changed in v8.9.3Why it matters
SecurityWinGUp now uses cURL 8.19.0Strengthens updater component and moves to a curl release with no published vulnerabilities
PrivilegesPlugin operations no longer relaunch with permanent admin rightsReduces unintended privilege exposure
StabilityFixes UDL crash and print crashImproves day-to-day reliability
PerformanceXML parser moved from TinyXML to pugixmlImproves config read and write performance
Admin controldisableNppAutoUpdate.xml addedHelps enterprise deployment management

FAQ

Is Notepad++ v8.9.3 a security update?

Yes, partly. The release includes a cURL update in the WinGUp auto-updater and fixes a plugin-related admin privilege regression.

Did cURL 8.19.0 specifically fix CVE-2025-14819?

Not exactly. The curl project says CVE-2025-14819 was fixed in 8.18.0, and 8.19.0 shipped later with no published vulnerabilities. Notepad++ still benefits from moving to 8.19.0 because it is a newer safe release.

What was the admin privilege bug?

Notepad++ says installing or removing a plugin could reopen the app with permanent admin privilege. Version 8.9.3 fixes that behavior.

Should users update right away?

For most users, yes. This release combines security hardening, crash fixes, and updater improvements, so it looks like a worthwhile update instead of a cosmetic refresh.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages