Vim modeline flaw enables arbitrary command execution via crafted files
A high-severity vulnerability in Vim allows arbitrary OS command execution when a user opens a specially crafted file in affected versions earlier than 9.2.0272. The bug involves the tabpanel option missing the P_MLE flag, which lets a modeline inject %{expr} expressions even when modelineexpr is not enabled. Researchers said the injected expression is initially evaluated inside Vim's sandbox, but the autocmd_add() function does not perform a check_secure() validation, allowing sandboxed code to register an autocommand that runs after the sandbox exits.
The issue affects builds compiled with +tabpanel, including default FEAT_HUGE configurations, and requires no user interaction beyond opening the malicious file. Because modeline is enabled by default, the flaw exposes a broad attack surface on systems running vulnerable Vim releases, with commands executing under the privileges of the user running the editor. Vim addressed the issue in patch v9.2.0272, and the vulnerability was reported by Koda Reef.
Timeline
Apr 2, 2026
oss-sec thread identifies Vim flaw as CVE-2026-34714
An oss-sec follow-up thread identified the Vim tabpanel modeline escape vulnerability as CVE-2026-34714 and referenced GitHub Security Advisory GHSA-2gmj-rpqf-pxvh. The discussion said GitHub Support could not assign a CVE because one had already been issued by another party, clarifying the vulnerability's tracking status.
Apr 1, 2026
Researchers disclose Emacs Git-integration command-execution issue
Researchers reported a GNU Emacs arbitrary-command-execution issue tied to Git integration, where opening a file could trigger Git operations that run attacker-controlled commands through a user-defined core.fsmonitor program. The report said Emacs maintainers considered it a Git issue, and it remained unpatched in Emacs at the time of publication.
Mar 31, 2026
Vim opens pull request to disable modelines by default
A new Vim pull request titled 'Modelines cause too many issues' proposed changing the editor's default behavior to disable modelines, reflecting a broader mitigation response after the command-execution vulnerability. The proposal indicates maintainers were considering reducing attack surface beyond the v9.2.0272 patch.
Mar 30, 2026
oss-sec discloses details of Vim command-execution issue
An oss-sec mailing list post publicly disclosed technical details of the Vim tabpanel modeline escape, including the missing P_MLE flag and the sandbox escape via autocmd_add(). A follow-up discussion emphasized that modeline is enabled by default, increasing exposure on default FEAT_HUGE builds.
Mar 30, 2026
Vim fixes tabpanel modeline escape in patch v9.2.0272
Vim addressed the vulnerability in patch v9.2.0272. The flaw affected versions earlier than 9.2.0272 and could be exploited without enabling modelineexpr.
Mar 30, 2026
Koda Reef reports Vim tabpanel modeline escape vulnerability
A high-severity vulnerability chain in Vim was reported by Koda Reef. The issue allows arbitrary OS command execution when a user opens a crafted file in affected builds with +tabpanel support.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
5 more from sources like oss security mailing list, scworld, github.com and cyber security news
Related Stories
Vim Modeline Bypass Enables Arbitrary Command Execution
Vim disclosed a high-severity vulnerability that lets attackers achieve arbitrary OS command execution when a user opens a crafted file in affected versions earlier than **9.2.0276**. The flaw is a modeline sandbox bypass caused by missing security-related `P_MLE` flags on the `complete`, `guitabtooltip`, and `printheader` options, allowing unsafe behavior from modelines that should have been restricted. The bug also involves a missing `check_secure()` call in `mapset()`, which creates additional exploitation paths through key mappings and option handling. Researchers showed that the `complete` option could abuse `F{func}` callback syntax without the protections applied to `completefunc`, while `guitabtooltip` and `printheader` could be leveraged through `mapset()`. Vim fixed the issue in patch **v9.2.0276**, and the advisory was later assigned **CVE-2026-34982**; the project credited **dfwjj x** and **Avishay Matayev** for the discovery and analysis.
1 months ago
Code Execution Vulnerabilities Reported in Vim
German CERT advisories identified **code execution vulnerabilities** in `vim`, the widely used text editor, in two separate notices. The advisories, `2026-0782` and `2026-0886`, both describe flaws that could allow an attacker to execute code, indicating ongoing security issues affecting the application. The notices provide limited public detail, but the repeated classification of the issue as code execution highlights potential risk for systems where `vim` is installed or used to process untrusted content. Organizations using `vim` should review the associated advisories, determine affected versions in their environments, and prioritize vendor patches or other mitigations as they become available.
1 weeks ago
Vim Fixed Two Command Injection Flaws in Tag Handling and netrw
The Vim project disclosed and patched two medium-severity command injection vulnerabilities that could let attackers run shell commands as the local Vim user. One flaw, fixed in `v9.2.0357`, affected tag navigation in versions before that release: Vim passed the filename field from a `tags` file through wildcard expansion, allowing backtick expressions in a malicious tag entry to trigger command execution when a user invoked tag lookups such as `:tag`, `Ctrl-]`, or `vim -t`. Because Vim checks for `tags` files in the working directory by default, a repository-hosted malicious `tags` file was identified as a plausible delivery path. A second flaw, fixed in `v9.2.0383`, affected Vim's bundled `netrw` plugin in versions earlier than that patch. The bug allowed crafted `sftp://` or `file://` URLs to influence temporary filenames derived from attacker-controlled suffixes, which could then be passed to external programs such as `sftp` or configured file handlers without proper escaping, leading to arbitrary OS command execution when a user opened a malicious URL. The netrw issue was reported by Joshua Rogers of AISLE Research Team, and both disclosures said CVE assignments had been requested but were not yet available at publication time.
1 weeks ago