Security Alert: OS Command Injection in Vim (before 9.2.0435)
Posted: Mon May 04, 2026 1:39 am
Security Notice: Vim OS Command Injection via 'path' Completion – fixed in 9.2.0435
A security issue was reported in Vim on 02 May 2026. It affects Vim versions before 9.2.0435 and is currently rated Medium. A CVE has been requested but was not assigned at the time of the report. The weakness is classified as CWE-78: OS Command Injection. The issue exists in Vim’s command-line completion for and related commands. If Vim’s option contains shell commands inside backticks, those commands may be executed during filename completion. This becomes dangerous because older Vim versions could allow to be changed through a modeline inside an attacker-controlled file. In practice, a victim would need to open such a file and then trigger completion with Tab while using commands like , or . The impact is arbitrary shell command execution with the permissions of the…login to view the rest of this post
A security issue was reported in Vim on 02 May 2026. It affects Vim versions before 9.2.0435 and is currently rated Medium. A CVE has been requested but was not assigned at the time of the report. The weakness is classified as CWE-78: OS Command Injection. The issue exists in Vim’s command-line completion for
Code: Select all
:findCode: Select all
'path'Code: Select all
'path'Code: Select all
:findCode: Select all
:sfindCode: Select all
:tabfind