Description
A flaw has been found in Neovim up to 0.12.2. Affected by this issue is the function M.read of the file runtime/lua/vim/secure.lua of the component View Branch. Executing a manipulation of the argument path can lead to command injection. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A patch should be applied to remediate this issue.
Published: 2026-06-08
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Neovim's secure.lua View Branch component, specifically the M.read function that processes a path argument. An attacker can manipulate this argument to inject arbitrary shell commands, causing the Neovim process to execute them. The flaw does not provide remote code execution but allows malicious commands to run on the local host where Neovim is running. The weakness is identified as CWE-74 and CWE-77, indicating improper handling of input and insecure command construction.

Affected Systems

Neovim up to and including version 0.12.2 is affected. The vulnerability is tied to the runtime/lua/vim/secure.lua file in the View Branch component of the Neovim project.

Risk and Exploitability

The CVSS score of 4.8 places the vulnerability in the moderate range. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog, suggesting limited widespread exploitation. Attackers can only execute the injection locally when Able to invoke Neovim and provide a crafted path argument. Since the exploit has already been published, it is accessible to attackers with local access. Overall risk is moderate, with local privilege required.

Generated by OpenCVE AI on June 8, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Neovim patch corresponding to commit f83e0dcaf8cf18de94828341b0a1a61a86c75baf or upgrade to a release newer than 0.12.2.
  • If a patch cannot be applied immediately, restrict the use of the M.read function by disabling or limiting access to the secure.lua View Branch component in local configuration.
  • Ensure that local user accounts running Neovim have minimal privileges and that directory paths used by M.read are tightly controlled to avoid influencing command execution.

Generated by OpenCVE AI on June 8, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Neovim up to 0.12.2. Affected by this issue is the function M.read of the file runtime/lua/vim/secure.lua of the component View Branch. Executing a manipulation of the argument path can lead to command injection. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A patch should be applied to remediate this issue.
Title Neovim View Branch secure.lua M.read command injection
First Time appeared Neovim
Neovim neovim
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:neovim:neovim:*:*:*:*:*:*:*:*
Vendors & Products Neovim
Neovim neovim
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Neovim Neovim
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T04:15:11.583Z

Reserved: 2026-06-07T10:08:20.721Z

Link: CVE-2026-11487

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T05:16:29.847

Modified: 2026-06-08T05:16:29.847

Link: CVE-2026-11487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T07:00:10Z

Weaknesses