All errata/p10/ALT-PU-2026-8499-4
ALT-PU-2026-8499-4

Package update vim in branch p10

Version9.2.0537-alt1
Task#419442
Published2026-06-14
Max severityCRITICAL
Severity:

Closed issues (40)

BDU:2025-11730
MEDIUM4.1

Уязвимость текстового редактора vim, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю выполнить произвольные команды

Published: 2025-09-25Modified: 2026-05-31
CVSS 3.xMEDIUM 4.1
CVSS:3.x/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
CVSS 2.0LOW 2.6
CVSS:2.0/AV:L/AC:H/Au:N/C:N/I:P/A:P
References
BDU:2025-11731
MEDIUM4.1

Уязвимость текстового редактора vim, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю выполнить произвольные команды

Published: 2025-09-25Modified: 2026-05-31
CVSS 3.xMEDIUM 4.1
CVSS:3.x/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
CVSS 2.0LOW 2.6
CVSS:2.0/AV:L/AC:H/Au:N/C:N/I:P/A:P
References
BDU:2025-12929
HIGH8.8

Уязвимость функции tuple_unref() текстового редактора vim, позволяющая нарушителю выполнить произвольный код

Published: 2025-10-14Modified: 2026-03-03
CVSS 3.xHIGH 8.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2025-12932
HIGH8.8

Уязвимость функции clear_tv() текстового редактора vim, позволяющая нарушителю выполнить произвольный код

Published: 2025-10-14Modified: 2026-03-03
CVSS 3.xHIGH 8.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2026-02586
MEDIUM5.3

Уязвимость текстового редактора vim, связанная с чтением за границами буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-03-05
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVSS 2.0MEDIUM 4.6
CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P
References
BDU:2026-02587
LOW2.2

Уязвимость текстового редактора vim, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю оказать воздействие на целостность защищаемой информации

Published: 2026-03-05
CVSS 3.xLOW 2.2
CVSS:3.x/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
CVSS 2.0LOW 1.0
CVSS:2.0/AV:L/AC:H/Au:S/C:N/I:P/A:N
References
BDU:2026-02588
MEDIUM4.4

Уязвимость текстового редактора vim, связанная с чтением за границами буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-03-05
CVSS 3.xMEDIUM 4.4
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CVSS 2.0LOW 3.6
CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:P/A:P
References
BDU:2026-02589
HIGH7.8

Уязвимость текстового редактора vim, связанная с непринятием мер по нейтрализации специальных элементов, позволяющая нарушителю выполнить произвольные команды

Published: 2026-03-05Modified: 2026-05-27
CVSS 3.xHIGH 7.8
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 7.2
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2026-02590
MEDIUM5.5

Уязвимость текстового редактора vim, связанная с чтением за границами буфера в памяти, позволяющая нарушителю оказать воздействие на доступность защищаемой информации

Published: 2026-03-05Modified: 2026-05-27
CVSS 3.xMEDIUM 5.5
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS 2.0MEDIUM 4.9
CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-02591
MEDIUM5.3

Уязвимость текстового редактора vim, связанная с переполнением буфера в динамической памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-03-05
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVSS 2.0MEDIUM 4.6
CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P
References
BDU:2026-05072
MEDIUM6.6

Уязвимость функции get_tagfname() файла src/tag.c текстового редактора vim, позволяющая нарушителю выполнить произвольный код

Published: 2026-04-12Modified: 2026-04-19
CVSS 3.xMEDIUM 6.6
CVSS:3.x/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
CVSS 2.0MEDIUM 6.2
CVSS:2.0/AV:L/AC:L/Au:S/C:N/I:C/A:C
References
BDU:2026-05139
HIGH7.5

Уязвимость функции special_keys() файла src/netbeans.c текстового редактора vim, позволяющая нарушителю выполнить произвольный код

Published: 2026-04-13Modified: 2026-04-19
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 7.6
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C
References
BDU:2026-05671
MEDIUM4.1

Уязвимость плагина zip.vim текстового редактора vim, позволяющая нарушителю выполнить произвольные команды

Published: 2026-04-21
CVSS 3.xMEDIUM 4.1
CVSS:3.x/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
CVSS 2.0LOW 2.6
CVSS:2.0/AV:L/AC:H/Au:N/C:N/I:P/A:P
References
BDU:2026-05722
HIGH8.2

Уязвимость текстового редактора vim, связанная с непринятием мер по нейтрализации специальных элементов, позволяющая нарушителю выполнить произвольные команды

Published: 2026-04-21
CVSS 3.xHIGH 8.2
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CVSS 2.0MEDIUM 6.6
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:N
References
BDU:2026-05833
CRITICAL9.2

Уязвимость текстового редактора vim, связанная с непринятием мер по нейтрализации специальных элементов, позволяющая нарушителю выполнить произвольные команды

Published: 2026-04-26
CVSS 3.xCRITICAL 9.2
CVSS:3.x/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:P
References
BDU:2026-06512
HIGH7.8

Уязвимость функции :find текстового редактора vim, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании

Published: 2026-05-11
CVSS 3.xHIGH 7.8
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 7.2
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C
References
CVE-2025-53905
MEDIUM4.1

Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.

Published: 2025-07-15Modified: 2025-11-04
CVSS 3.xMEDIUM 4.1
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
References
CVE-2025-53906
MEDIUM4.1

Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.

Published: 2025-07-15Modified: 2026-04-01
CVSS 3.xMEDIUM 4.1
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
References
CVE-2025-55157
MEDIUM6.9

Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1400, When processing nested tuples in Vim script, an error during evaluation can trigger a use-after-free in Vim’s internal tuple reference management. Specifically, the tuple_unref() function may access already freed memory due to improper lifetime handling, leading to memory corruption. The exploit requires direct user interaction, as the script must be explicitly executed within Vim. This issue has been patched in version 9.1.1400.

Published: 2025-08-11Modified: 2025-08-12
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2025-55158
MEDIUM6.9

Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim’s internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406.

Published: 2025-08-11Modified: 2025-08-12
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2025-66476
HIGH7.8

Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.

Published: 2025-12-02Modified: 2026-01-30
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
CVE-2026-25749
MEDIUM6.6

Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.

Published: 2026-02-06Modified: 2026-06-09
CVSS 3.xMEDIUM 6.6
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
References
CVE-2026-26269
HIGH7.5

Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.

Published: 2026-02-13Modified: 2026-02-18
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References
CVE-2026-28417
HIGH7.8

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.

Published: 2026-02-27Modified: 2026-03-03
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
CVE-2026-28418
MEDIUM5.5

Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.

Published: 2026-02-27Modified: 2026-03-03
CVSS 3.xMEDIUM 5.5
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References
CVE-2026-28419
MEDIUM6.6

Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.

Published: 2026-02-27Modified: 2026-03-04
CVSS 3.xMEDIUM 6.6
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
References
CVE-2026-28420
MEDIUM4.4

Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.

Published: 2026-02-27Modified: 2026-03-04
CVSS 3.xMEDIUM 4.4
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
References
CVE-2026-28421
HIGH7.8

Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.

Published: 2026-02-27Modified: 2026-03-04
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
CVE-2026-28422
LOW2.2

Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.

Published: 2026-02-27Modified: 2026-03-04
CVSS 3.xLOW 2.2
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
References
CVE-2026-33412
HIGH7.3

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Published: 2026-03-24Modified: 2026-03-25
CVSS 3.xHIGH 7.3
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
References
CVE-2026-34714
HIGH8.6

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

Published: 2026-03-30Modified: 2026-04-03
CVSS 3.xHIGH 8.6
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References
CVE-2026-34982
HIGH8.2

Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.

Published: 2026-04-06Modified: 2026-04-22
CVSS 3.xHIGH 8.2
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
References
CVE-2026-35177
HIGH7.1

Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.

Published: 2026-04-06Modified: 2026-04-20
CVSS 3.xHIGH 7.1
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
References
CVE-2026-39881
HIGH7.8

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

Published: 2026-04-08Modified: 2026-04-22
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
CVE-2026-41411
MEDIUM6.6

Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.

Published: 2026-04-24Modified: 2026-04-27
CVSS 3.xMEDIUM 6.6
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
References
CVE-2026-42307
MEDIUM4.4

Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.

Published: 2026-05-08Modified: 2026-05-14
CVSS 3.xMEDIUM 4.4
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
References
CVE-2026-44656
MEDIUM4.6

Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.

Published: 2026-05-08Modified: 2026-05-14
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVSS 4.0MEDIUM 4.6
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2026-45130
MEDIUM5.5

Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.

Published: 2026-05-08Modified: 2026-06-09
CVSS 3.xMEDIUM 5.5
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References
CVE-2026-46483
HIGH7.0

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

Published: 2026-05-15Modified: 2026-05-19
CVSS 3.xHIGH 7.0
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References
CVE-2026-47162
HIGH7.3

Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.

Published: 2026-06-11Modified: 2026-06-12
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0HIGH 7.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References