CVE-2026-46483 - Vulnerability Details

- Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag

Description

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in
runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

Published: 2026-05-15

Score: 3.6 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the tar#Vimuntar() function of Vim’s runtime autoload tar.vim, which builds shell commands without using the {special} flag for shellescape. A crafted .tgz archive filename can trigger Vim’s cmdline‑special expansion and allow execution of arbitrary shell commands in the user’s context. This constitutes a command‑line injection weakness (CWE‑78) and a shell‑execution flaw (CWE‑88). The CVSS score of 3.6 indicates moderate severity, reflecting that exploitation requires local user interaction and results in code execution with the victim’s privileges.

Affected Systems

All Vim users running versions before 9.2.0479 on Unix‑like operating systems are affected, as the issue exists in the tar.vim script bundled with those releases. The vulnerability is resolved in Vim 9.2.0479 and later. No specific operating‑system versions are limited; the flaw is tied solely to the Vim release.

Risk and Exploitability

The risk localized to systems where an attacker can place a malicious .tgz file and persuade a user to open it in Vim. The absence of an EPSS score and the lack of listing in CISA’s KEV catalogue suggest the exploit is not yet widespread. Nonetheless, the CVSS score of 3.6 and the fact that the exploit requires only local user interaction mean that an unpatched user could execute arbitrary commands. No external attack vector beyond local file handling is documented in the description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

vim

affected

Version	Status	Constraints
`< 9.2.479`	affected	—

No data.

Vendor Product Confidence Versions

Vim

100%

Version	Status	Scheme	Platform
`[0,9.2.479)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Vim to version 9.2.0479 or newer.
Until the upgrade is applied, avoid opening or extracting .tgz archives in Vim or restrict usage to trusted users.
Use a dedicated tool such as tar or gunzip to extract archives instead of the Vim function.

Generated by OpenCVE AI on May 15, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00239.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
https://github.com/vim/vim/releases/tag/v9.2.0479
https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w

History

Fri, 15 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vim Vim vim
Vendors & Products		Vim Vim vim

Fri, 15 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 15 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.
Title		Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag
Weaknesses		CWE-78 CWE-88
References		https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 https://github.com/vim/vim/releases/tag/v9.2.0479 https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
Metrics		cvssV3_1 `{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}`

Subscriptions

Vim Vim

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-15T14:57:31.872Z

Updated: 2026-05-15T15:57:39.053Z

Reserved: 2026-05-14T18:06:06.810Z

Link: CVE-2026-46483

Vulnrichment

Updated: 2026-05-15T15:57:30.004Z

NVD

Status : Received

Published: 2026-05-15T15:16:54.237

Modified: 2026-05-15T15:16:54.237

Link: CVE-2026-46483

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T16:30:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object