Description
Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.
Published: 2026-06-11
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Vim's cucumber filetype plugin. Step‑definition patterns read from .rb files in features/* or stories/* directories are inserted into a Ruby Kernel.eval call without proper escaping. This allows an attacker who controls a repository to craft a regex that contains arbitrary Ruby code, which will be executed whenever the user triggers the step‑jump mapping. The weakness is a classic code injection (CWE‑94) coupled with unsafe evaluation of user input (CWE‑95).

Affected Systems

Affected products include Vim (open‑source command‑line editor) running with +ruby support before version 9.2.0496. The patch is in release 9.2.0496, and any earlier Vim builds that load runtime/ftplugin/cucumber.vim on an attacker‑controlled repository are vulnerable. All platforms that compile Vim with Ruby support are potentially impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local user to open a malicious repository and invoke the step‑jump mapping; thus the attack vector is local and depends on the presence of +ruby support. While unlikely to be delivered remotely, a compromised user could gain full control of the local system through arbitrary shell commands executed by the injected Ruby code.

Generated by OpenCVE AI on June 11, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0496 or later, which removes the unsafe eval from the cucumber plugin.
  • If upgrading is not immediately possible, rebuild Vim without +ruby support or disable the cucumber filetype plugin by removing or commenting out runtime/ftplugin/cucumber.vim.
  • Avoid opening untrusted repositories that contain step‑definition .rb files and refrain from using the step‑jump mapping until the CVE is patched or the vulnerable plugin is disabled.

Generated by OpenCVE AI on June 11, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.
Title Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex
Weaknesses CWE-94
CWE-95
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T03:55:40.798Z

Reserved: 2026-05-18T21:25:34.497Z

Link: CVE-2026-47167

cve-icon Vulnrichment

Updated: 2026-06-11T19:35:52.272Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T19:16:44.560

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-47167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:30:09Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')

  • CWE-95

    Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')