Description
Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
Published: 2026-04-08
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution
Action: Patch
AI Analysis

Impact

Vim’s NetBeans integration contains a command injection flaw that allows a malicious NetBeans server to send unsanitized strings to the Vim client. These strings are interpreted as Ex commands by Vim, giving the attacker the ability to run arbitrary commands on the machine where Vim is executing. The vulnerability stems from insufficient input validation in the defineAnnoType and specialKeys protocol messages.

Affected Systems

All Vim releases older than 9.2.0316 that enable the NetBeans integration feature are affected. Users who run Vim and connect to any NetBeans server are at risk, irrespective of the operating system, as long as the Vim client is using the vulnerable integration.

Risk and Exploitability

The CVSS score of 5 indicates a moderate risk level and the EPSS score is unavailable, meaning the likely exploitation probability is not quantified. The vulnerability is not part of the CISA KEV catalog. Based on the description, it is inferred that the attacker must control the NetBeans server that the Vim client connects to, and the command injection occurs during the establishment of that connection. Exploitability therefore depends on the presence of an attacker‑controlled NetBeans service that the victim chooses to connect to or is automatically connected to through configuration.

Generated by OpenCVE AI on April 9, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Vim to version 9.2.0316 or later to eliminate the command injection flaw.
  • If immediate update is not feasible, disable the NetBeans integration feature in Vim or avoid connecting to NetBeans servers that are not trusted until a patch is applied.

Generated by OpenCVE AI on April 9, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 08 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
Title Vim Ex command injection in Vims NetBeans integration
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T13:50:24.001Z

Reserved: 2026-04-07T20:32:03.010Z

Link: CVE-2026-39881

cve-icon Vulnrichment

Updated: 2026-04-09T13:50:19.099Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T21:17:00.400

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39881

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-08T20:18:19Z

Links: CVE-2026-39881 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:22Z

Weaknesses