Code Execution Vulnerabilities Reported in Vim
German CERT advisories identified code execution vulnerabilities in vim, the widely used text editor, in two separate notices. The advisories, 2026-0782 and 2026-0886, both describe flaws that could allow an attacker to execute code, indicating ongoing security issues affecting the application.
The notices provide limited public detail, but the repeated classification of the issue as code execution highlights potential risk for systems where vim is installed or used to process untrusted content. Organizations using vim should review the associated advisories, determine affected versions in their environments, and prioritize vendor patches or other mitigations as they become available.
Timeline
Apr 23, 2026
dCERT publishes advisory 2026-1219 for Vim code execution flaw
dCERT published advisory 2026-1219 concerning a Vim vulnerability that allows code execution. The reference provides no synopsis or additional remediation details.
Apr 16, 2026
dCERT publishes advisory 2026-1122 for Vim code execution flaw
dCERT published advisory 2026-1122 concerning a Vim vulnerability that allows code execution. The reference provides no additional technical details or remediation information.
Apr 8, 2026
dCERT publishes advisory 2026-0986 for Vim code execution flaw
dCERT published advisory 2026-0986 concerning a Vim vulnerability that allows code execution. The reference provides no additional technical details or remediation information.
Apr 1, 2026
dCERT publishes advisory 2026-0919 for Vim code execution flaw
dCERT published advisory 2026-0919 concerning a Vim vulnerability that allows code execution. The reference provides no additional synopsis or remediation details.
Mar 30, 2026
dCERT publishes advisory 2026-0886 for Vim code execution flaw
dCERT published advisory 2026-0886 concerning a Vim vulnerability that allows code execution. The reference does not clarify whether this is a new issue or an update to a previously reported flaw.
Mar 20, 2026
dCERT publishes advisory 2026-0782 for Vim code execution flaw
dCERT published advisory 2026-0782 warning of a Vim vulnerability that allows code execution. No additional technical details or remediation information are provided in the reference.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
1 more from sources like dcert
Related Stories
Code Execution Flaws Expose Vim netrw and SiYuan Users to Endpoint Compromise
Two newly disclosed vulnerabilities affect widely used desktop productivity tools and could let attackers execute code in the context of the logged-in user. **CVE-2026-28417** impacts Vim's `netrw` plugin and allows OS command injection with user interaction, potentially exposing the victim's files, environment variables, and active authentication tokens. The issue is rated **CVSS 4.4 (Medium)** and appears limited to local exploitation, but it could still support persistence, sensitive file theft, or follow-on lateral movement from a developer workstation. A more severe flaw, **CVE-2026-39846**, affects the SiYuan Electron client and enables remote code execution through a stored XSS condition delivered via synchronized note content. The vulnerability carries a **CVSS 9.1** rating and can be triggered when a user opens a malicious synchronized note, allowing silent background execution with the victim user's privileges. Reporting indicates a proof of concept exists, making targeted compromise plausible even though neither issue was reported as actively exploited at disclosure and the Vim flaw was not listed in CISA's Known Exploited Vulnerabilities catalog.
3 weeks ago
Vim Modeline Bypass Enables Arbitrary Command Execution
Vim disclosed a high-severity vulnerability that lets attackers achieve arbitrary OS command execution when a user opens a crafted file in affected versions earlier than **9.2.0276**. The flaw is a modeline sandbox bypass caused by missing security-related `P_MLE` flags on the `complete`, `guitabtooltip`, and `printheader` options, allowing unsafe behavior from modelines that should have been restricted. The bug also involves a missing `check_secure()` call in `mapset()`, which creates additional exploitation paths through key mappings and option handling. Researchers showed that the `complete` option could abuse `F{func}` callback syntax without the protections applied to `completefunc`, while `guitabtooltip` and `printheader` could be leveraged through `mapset()`. Vim fixed the issue in patch **v9.2.0276**, and the advisory was later assigned **CVE-2026-34982**; the project credited **dfwjj x** and **Avishay Matayev** for the discovery and analysis.
1 months ago
Vim Fixed Two Command Injection Flaws in Tag Handling and netrw
The Vim project disclosed and patched two medium-severity command injection vulnerabilities that could let attackers run shell commands as the local Vim user. One flaw, fixed in `v9.2.0357`, affected tag navigation in versions before that release: Vim passed the filename field from a `tags` file through wildcard expansion, allowing backtick expressions in a malicious tag entry to trigger command execution when a user invoked tag lookups such as `:tag`, `Ctrl-]`, or `vim -t`. Because Vim checks for `tags` files in the working directory by default, a repository-hosted malicious `tags` file was identified as a plausible delivery path. A second flaw, fixed in `v9.2.0383`, affected Vim's bundled `netrw` plugin in versions earlier than that patch. The bug allowed crafted `sftp://` or `file://` URLs to influence temporary filenames derived from attacker-controlled suffixes, which could then be passed to external programs such as `sftp` or configured file handlers without proper escaping, leading to arbitrary OS command execution when a user opened a malicious URL. The netrw issue was reported by Joshua Rogers of AISLE Research Team, and both disclosures said CVE assignments had been requested but were not yet available at publication time.
1 weeks ago