Format String Injection in Notepad++ FindInFiles nativeLang.xml Handling

This repository is a small proof-of-concept exploit package for CVE-2026-3008 affecting Notepad++ 8.9.3 on Windows. It is not tied to a common exploit framework. The repo contains one explanatory README and three XML payload files under payloads/. The exploit is file-based and local in delivery: it relies on replacing or planting a malicious nativeLang.xml localization file that Notepad++ loads when localization is enabled. The vulnerable data flow described in the README is nativeLang.xml -> TinyXML parser -> NativeLangSpeaker UTF conversion -> sub_140099E60 -> wsprintfW, where the <find-result-hits> attribute is used directly as a format string. Because wsprintfW is invoked with only the format string and no matching variadic arguments, attacker-supplied specifiers read stale register/stack values. The provided payloads demonstrate two practical outcomes: reliable denial of service using repeated %s specifiers that dereference invalid pointers and crash Notepad++, and information disclosure using %08lx or %x specifiers that render stack/register-derived values in the Find Results panel. The README explicitly notes that wsprintfW does not support %n and that the output limit matches the destination buffer, so the demonstrated impact is limited to crash and memory disclosure rather than code execution. Repository structure is straightforward: README.md documents the vulnerability, trigger conditions, affected functions and addresses, and exploitation constraints; payloads/formatstring_crash.xml provides a crash-oriented payload; payloads/formatstring_leak.xml provides a memory disclosure payload; payloads/formatstring_perX.xml provides a simpler hexadecimal leak variant. The exploit triggers when the victim performs a search operation that yields results, including Find All, Find in Files, Replace All, or Mark All.