Description
Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
Published: 2026-05-08
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vim's :find completion can execute shell commands embedded in backticks within the path option. Because the path option can be set via a modeline and lacks a security flag, an attacker who can inject a modeline into a file may cause those commands to run when the file is opened and the :find completion is used, allowing execution of arbitrary shell commands with the privileges of the Vim user. The vulnerability does not provide denial of service or direct data disclosure; the impact is limited to command execution in the context of the Vim process.

Affected Systems

Vim releases prior to version 9.2.0435 are affected. All versions of Vim before that tag are vulnerable, and the patch is included in 9.2.0435. The vendor target is vim:vim.

Risk and Exploitability

With a CVSS score of 4.6 the vulnerability is considered moderate. No EPSS score is available, and it is not listed in the CISA KEV catalog. The attack requires a malicious file that contains a modeline and a user who opens that file and triggers :find completion, so user interaction is required. When these conditions are met, the attacker can execute arbitrary shell commands with the privileges of the Vim user; however, this does not automatically lead to full system compromise unless the Vim user has elevated privileges.

Generated by OpenCVE AI on May 9, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0435 or later.
  • Disable modelines for untrusted files if the upgrade cannot be performed.
  • Avoid using :find completion on files that contain untrusted path entries or backticks in the path option.

Generated by OpenCVE AI on May 9, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
Title Vim: OS Command Injection via 'path' completion
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:40:49.673Z

Reserved: 2026-05-07T15:30:10.876Z

Link: CVE-2026-44656

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:39.783

Modified: 2026-05-08T23:16:39.783

Link: CVE-2026-44656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T01:30:16Z

Weaknesses