Description
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
Published: 2026-02-27
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via OS Command Injection
Action: Apply Patch
AI Analysis

Impact

Vim’s netrw plugin, which supports file transfer protocols, builds system commands from user‑supplied URLs without proper sanitization. When a user opens a crafted URL such as one using the scp:// scheme, the plugin can inject arbitrary shell commands. The injected commands execute with the privileges of the user running Vim, enabling an attacker to run code on the host with that user’s rights.

Affected Systems

Any installation of Vim that uses the bundled netrw plugin and is running a version earlier than 9.2.0073 is affected. The flaw applies to the standard Vim distribution for Linux, macOS, Windows and other platforms where the plugin is enabled, regardless of whether it is compiled with or without network protocol support.

Risk and Exploitability

The CVSS score of 4.4 indicates a moderate severity, while the EPSS score of less than one percent suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, limiting the evidence of real‑world attacks. Exploitation requires the victim to open a malicious URL; the most likely attack vector is a local user or an attacker who can trick a user into opening such a link. Because the injected commands run with the same privileges as the Vim process, a local attacker can achieve privilege escalation if the Vim process is started by a privileged account. The official patch is available in Vim 9.2.0073 and later.

Generated by OpenCVE AI on April 17, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0073 or later to apply the official fix.
  • If an upgrade cannot be performed immediately, disable the netrw plugin or the scp protocol handler by commenting out its loading or setting configuration options that prevent it from executing commands.
  • Avoid opening URLs from untrusted sources or consider using neutral file transfer methods that do not rely on the netrw plugin.

Generated by OpenCVE AI on April 17, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Sat, 28 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 28 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
References

Fri, 27 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
Title Vim has OS Command Injection in netrw
Weaknesses CWE-86
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T21:51:24.894Z

Reserved: 2026-02-27T15:33:57.290Z

Link: CVE-2026-28417

cve-icon Vulnrichment

Updated: 2026-02-28T00:15:30.536Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T22:16:24.833

Modified: 2026-03-03T17:50:29.827

Link: CVE-2026-28417

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-27T21:54:35Z

Links: CVE-2026-28417 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses