Description
Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
Published: 2026-05-08
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vim’s built‑in netrw plugin contains an OS command injection flaw. When a user opens a specially crafted URL (such as those using sftp:// or file://), Vim executes arbitrary shell commands with the privileges of the Vim process. This enables an attacker to compromise confidentiality, integrity, and availability by running commands, installing malware, or modifying system files, and is classified as CWE‑78.

Affected Systems

All releases of Vim before 9.2.0383 are affected. The issue is fixed in version 9.2.0383 and later.

Risk and Exploitability

The vulnerability has a CVSS score of 4.4, indicating a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to get a user to open a malicious URL, so it typically relies on social engineering. Because the fix is already available, the practical risk depends on whether systems are running a patched version.

Generated by OpenCVE AI on May 8, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0383 or newer to apply the vendor’s patch.
  • If upgrading is not feasible, disable the netrw plugin or configure Vim to reject or not process external URL handlers.
  • Restrict the privileges of the user accounts that run Vim and audit for any unintended command execution.

Generated by OpenCVE AI on May 8, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
Title Vim: OS Command Injection in netrw
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:38:53.964Z

Reserved: 2026-04-26T12:37:18.169Z

Link: CVE-2026-42307

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:36.777

Modified: 2026-05-08T23:16:36.777

Link: CVE-2026-42307

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:15:20Z

Weaknesses