Vim Modeline Bypass Enables Arbitrary Command Execution
Vim disclosed a high-severity vulnerability that lets attackers achieve arbitrary OS command execution when a user opens a crafted file in affected versions earlier than 9.2.0276. The flaw is a modeline sandbox bypass caused by missing security-related P_MLE flags on the complete, guitabtooltip, and printheader options, allowing unsafe behavior from modelines that should have been restricted.
The bug also involves a missing check_secure() call in mapset(), which creates additional exploitation paths through key mappings and option handling. Researchers showed that the complete option could abuse F{func} callback syntax without the protections applied to completefunc, while guitabtooltip and printheader could be leveraged through mapset(). Vim fixed the issue in patch v9.2.0276, and the advisory was later assigned CVE-2026-34982; the project credited dfwjj x and Avishay Matayev for the discovery and analysis.
Timeline
Mar 31, 2026
GitHub advisory assigns CVE-2026-34982 to the Vim flaw
A later GitHub Security Advisory update assigned CVE-2026-34982 to the Vim modeline bypass vulnerability. The project also credited researchers "dfwjj x" and Avishay Matayev for discovering and analyzing the issue.
Mar 31, 2026
Vim vulnerability publicly disclosed on oss-sec
On March 31, 2026, Vim publicly disclosed technical details of a modeline sandbox bypass involving the `complete`, `guitabtooltip`, and `printheader` options and a missing `check_secure()` call in `mapset()`. The disclosure said the issue had no CVE at first and linked the fix and advisory information.
Mar 31, 2026
Vim fixes modeline sandbox bypass in patch v9.2.0276
The Vim project fixed a high-severity modeline sandbox bypass in patch v9.2.0276. The flaw affected Vim versions earlier than 9.2.0276 and could allow arbitrary OS command execution when a user opened a crafted file.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Vim modeline flaw enables arbitrary command execution via crafted files
A high-severity vulnerability in **Vim** allows arbitrary OS command execution when a user opens a specially crafted file in affected versions earlier than `9.2.0272`. The bug involves the `tabpanel` option missing the `P_MLE` flag, which lets a modeline inject `%{expr}` expressions even when `modelineexpr` is not enabled. Researchers said the injected expression is initially evaluated inside Vim's sandbox, but the `autocmd_add()` function does not perform a `check_secure()` validation, allowing sandboxed code to register an autocommand that runs after the sandbox exits. The issue affects builds compiled with `+tabpanel`, including default `FEAT_HUGE` configurations, and requires no user interaction beyond opening the malicious file. Because `modeline` is enabled by default, the flaw exposes a broad attack surface on systems running vulnerable Vim releases, with commands executing under the privileges of the user running the editor. Vim addressed the issue in patch `v9.2.0272`, and the vulnerability was reported by Koda Reef.
1 months ago
Code Execution Vulnerabilities Reported in Vim
German CERT advisories identified **code execution vulnerabilities** in `vim`, the widely used text editor, in two separate notices. The advisories, `2026-0782` and `2026-0886`, both describe flaws that could allow an attacker to execute code, indicating ongoing security issues affecting the application. The notices provide limited public detail, but the repeated classification of the issue as code execution highlights potential risk for systems where `vim` is installed or used to process untrusted content. Organizations using `vim` should review the associated advisories, determine affected versions in their environments, and prioritize vendor patches or other mitigations as they become available.
1 weeks ago
Vim Fixed Two Command Injection Flaws in Tag Handling and netrw
The Vim project disclosed and patched two medium-severity command injection vulnerabilities that could let attackers run shell commands as the local Vim user. One flaw, fixed in `v9.2.0357`, affected tag navigation in versions before that release: Vim passed the filename field from a `tags` file through wildcard expansion, allowing backtick expressions in a malicious tag entry to trigger command execution when a user invoked tag lookups such as `:tag`, `Ctrl-]`, or `vim -t`. Because Vim checks for `tags` files in the working directory by default, a repository-hosted malicious `tags` file was identified as a plausible delivery path. A second flaw, fixed in `v9.2.0383`, affected Vim's bundled `netrw` plugin in versions earlier than that patch. The bug allowed crafted `sftp://` or `file://` URLs to influence temporary filenames derived from attacker-controlled suffixes, which could then be passed to external programs such as `sftp` or configured file handlers without proper escaping, leading to arbitrary OS command execution when a user opened a malicious URL. The netrw issue was reported by Joshua Rogers of AISLE Research Team, and both disclosures said CVE assignments had been requested but were not yet available at publication time.
1 weeks ago