Description
Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
Published: 2026-03-24
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command injection enabling execution of arbitrary shell commands
Action: Apply patch
AI Analysis

Impact

Vim's glob() function on Unix-like systems contains a flaw that allows a newline character within a passed pattern to invoke command injection. An attacker can trigger this vulnerability if the editor's 'shell' setting is configured to a usable shell, thereby enabling the execution of arbitrary shell commands. This weakness can compromise system integrity and potentially lead to full control of the affected machine, depending on the privileges of the Vim user.

Affected Systems

The affected product is Vim for Linux and other Unix-like operating systems. All versions older than 9.2.0202 are vulnerable; the issue was fixed in the 9.2.0202 release.

Risk and Exploitability

The CVSS score of 5.6 indicates a moderate severity, while the EPSS score of less than 1% suggests that real-world exploitation is unlikely at the moment. The vulnerability is not listed in CISA's KEV catalog. Likely exploitation requires a local user to manipulate a glob() pattern, or an attacker who can supply a malicious input that is processed by Vim. In the absence of a remote code execution vector, the primary risk is local code execution.

Generated by OpenCVE AI on March 26, 2026 at 02:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0202 or newer
  • If immediate upgrade is not feasible, avoid using newline characters in glob() patterns and restrict untrusted input from being passed to glob()
  • Set the 'shell' option to a safe default or remove it from the environment when using Vim
  • Verify the installed version with 'vim --version' and confirm that the fix is in place

Generated by OpenCVE AI on March 26, 2026 at 02:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 24 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
Title Vim affected by Command injection via newline in glob()
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T03:55:39.372Z

Reserved: 2026-03-19T17:02:34.171Z

Link: CVE-2026-33412

cve-icon Vulnrichment

Updated: 2026-03-24T20:16:21.339Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T20:16:29.740

Modified: 2026-03-25T21:59:14.980

Link: CVE-2026-33412

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-24T19:43:07Z

Links: CVE-2026-33412 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:18:51Z

Weaknesses