Description
Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.
Published: 2026-03-30
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Patch Immediately
AI Analysis

Impact

Vim versions older than 9.2.0272 can execute arbitrary code as soon as an attacker opens a specially crafted file. The flaw arises from an unescaped %{expr} injection in the tabpanel configuration when the P_MLE flag is absent, allowing shell commands to be evaluated in the user’s environment. If exploited, the attacker achieves full code execution under the current user’s privileges, compromising the session and potentially the underlying system.

Affected Systems

Affected systems include all installations of the Vim editor built for Linux, macOS, and Windows prior to version 9.2.0272. The vulnerability applies to the default configuration; no special build flags are required. Users running any of these versions and opening files from untrusted sources are at risk.

Risk and Exploitability

The CVSS score of 9.2 categorizes this vulnerability as critical. An EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Exploitation is local: the victim must open the crafted file; no network or privilege escalation mechanism is required beyond that. Because the injected command runs with the current process’s privileges, a local attacker can gain full control of the system once the file is opened, making it a high‑risk threat for unpatched users.

Generated by OpenCVE AI on March 31, 2026 at 06:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Vim to version 9.2.0272 or later.

Generated by OpenCVE AI on March 31, 2026 at 06:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
References

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title vim: Vim: Arbitrary code execution via crafted file
Weaknesses CWE-917
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
CPEs cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
Vendors & Products Vim
Vim vim

Mon, 30 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T11:15:39.723Z

Reserved: 2026-03-30T18:27:55.398Z

Link: CVE-2026-34714

cve-icon Vulnrichment

Updated: 2026-04-03T11:15:39.723Z

cve-icon NVD

Status : Modified

Published: 2026-03-30T19:16:26.853

Modified: 2026-04-03T12:16:18.500

Link: CVE-2026-34714

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-30T18:27:55Z

Links: CVE-2026-34714 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:29Z

Weaknesses