Vim Fixed Two Command Injection Flaws in Tag Handling and netrw
The Vim project disclosed and patched two medium-severity command injection vulnerabilities that could let attackers run shell commands as the local Vim user. One flaw, fixed in v9.2.0357, affected tag navigation in versions before that release: Vim passed the filename field from a tags file through wildcard expansion, allowing backtick expressions in a malicious tag entry to trigger command execution when a user invoked tag lookups such as :tag, Ctrl-], or vim -t. Because Vim checks for tags files in the working directory by default, a repository-hosted malicious tags file was identified as a plausible delivery path.
A second flaw, fixed in v9.2.0383, affected Vim's bundled netrw plugin in versions earlier than that patch. The bug allowed crafted sftp:// or file:// URLs to influence temporary filenames derived from attacker-controlled suffixes, which could then be passed to external programs such as sftp or configured file handlers without proper escaping, leading to arbitrary OS command execution when a user opened a malicious URL. The netrw issue was reported by Joshua Rogers of AISLE Research Team, and both disclosures said CVE assignments had been requested but were not yet available at publication time.
Timeline
Apr 21, 2026
Vim discloses and fixes netrw command injection in patch v9.2.0383
Vim disclosed a medium-severity OS command injection vulnerability in the bundled netrw plugin affecting versions earlier than 9.2.0383. Reported by Joshua Rogers of AISLE Research Team, the flaw involved crafted URLs leading to unsafe temporary filenames, and the project published a GitHub Security Advisory and fixing commit in patch v9.2.0383.
Apr 15, 2026
Vim fixes tag filename command injection in patch v9.2.0357
A command injection flaw in Vim's handling of tag filenames was disclosed as affecting versions prior to 9.2.0357. The issue could allow shell command execution via backtick expansion when a user navigates tags from a malicious tags file, and Vim fixed it in patch v9.2.0357.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Code Execution Flaws Expose Vim netrw and SiYuan Users to Endpoint Compromise
Two newly disclosed vulnerabilities affect widely used desktop productivity tools and could let attackers execute code in the context of the logged-in user. **CVE-2026-28417** impacts Vim's `netrw` plugin and allows OS command injection with user interaction, potentially exposing the victim's files, environment variables, and active authentication tokens. The issue is rated **CVSS 4.4 (Medium)** and appears limited to local exploitation, but it could still support persistence, sensitive file theft, or follow-on lateral movement from a developer workstation. A more severe flaw, **CVE-2026-39846**, affects the SiYuan Electron client and enables remote code execution through a stored XSS condition delivered via synchronized note content. The vulnerability carries a **CVSS 9.1** rating and can be triggered when a user opens a malicious synchronized note, allowing silent background execution with the victim user's privileges. Reporting indicates a proof of concept exists, making targeted compromise plausible even though neither issue was reported as actively exploited at disclosure and the Vim flaw was not listed in CISA's Known Exploited Vulnerabilities catalog.
3 weeks ago
Code Execution Vulnerabilities Reported in Vim
German CERT advisories identified **code execution vulnerabilities** in `vim`, the widely used text editor, in two separate notices. The advisories, `2026-0782` and `2026-0886`, both describe flaws that could allow an attacker to execute code, indicating ongoing security issues affecting the application. The notices provide limited public detail, but the repeated classification of the issue as code execution highlights potential risk for systems where `vim` is installed or used to process untrusted content. Organizations using `vim` should review the associated advisories, determine affected versions in their environments, and prioritize vendor patches or other mitigations as they become available.
1 weeks ago
Vim Modeline Bypass Enables Arbitrary Command Execution
Vim disclosed a high-severity vulnerability that lets attackers achieve arbitrary OS command execution when a user opens a crafted file in affected versions earlier than **9.2.0276**. The flaw is a modeline sandbox bypass caused by missing security-related `P_MLE` flags on the `complete`, `guitabtooltip`, and `printheader` options, allowing unsafe behavior from modelines that should have been restricted. The bug also involves a missing `check_secure()` call in `mapset()`, which creates additional exploitation paths through key mappings and option handling. Researchers showed that the `complete` option could abuse `F{func}` callback syntax without the protections applied to `completefunc`, while `guitabtooltip` and `printheader` could be leveraged through `mapset()`. Vim fixed the issue in patch **v9.2.0276**, and the advisory was later assigned **CVE-2026-34982**; the project credited **dfwjj x** and **Avishay Matayev** for the discovery and analysis.
1 months ago