Security Alert: OS Command Injection in Vim (before 9.2.0435)

A computer security forum focused on cybersecurity, system hardening, network protection, vulnerability analysis, privacy, and best practices for securing servers, applications, and infrastructure.
Forum rules
Post Reply
NetGuru
Posts: 56
Joined: Thu Apr 23, 2026 5:29 pm

Security Alert: OS Command Injection in Vim (before 9.2.0435)

Post by NetGuru »

Security Notice: Vim OS Command Injection via 'path' Completion – fixed in 9.2.0435

A security issue was reported in Vim on 02 May 2026. It affects Vim versions before 9.2.0435 and is currently rated Medium. A CVE has been requested but was not assigned at the time of the report. The weakness is classified as CWE-78: OS Command Injection. The issue exists in Vim’s command-line completion for

Code: Select all

:find
and related commands. If Vim’s

Code: Select all

'path'
option contains shell commands inside backticks, those commands may be executed during filename completion. This becomes dangerous because older Vim versions could allow

Code: Select all

'path'
to be changed through a modeline inside an attacker-controlled file. In practice, a victim would need to open such a file and then trigger completion with Tab while using commands like

Code: Select all

:find
,

Code: Select all

:sfind
or

Code: Select all

:tabfind
. The impact is arbitrary shell command execution with the permissions of the…login to view the rest of this post
Top
Post Reply

Return to “Security”