Impact
Vim, the widely used command‑line editor, contains a flaw in its Python omni‑completion feature. The feature executes import and from statements found in the current buffer through Python's standard import machinery. Because the buffer's directory is automatically added to sys.path, a hostile .py file located next to a Python package can cause the package’s top‑level code to run with the user’s privileges. This leads to arbitrary code execution, as arbitrary scripts can be executed without the user’s explicit request. The weakness is reflected in the CWE list (CWE‑829, CWE‑94, CWE‑95).
Affected Systems
Products affected are Vim builds that support the +python3 interpreter (or +python for older builds). All releases prior to 9.2.0561 contain the vulnerability. The patch is available in 9.2.0561 and later versions.
Risk and Exploitability
The CVSS score of 7.3 indicates a high severity. The EPSS score is not provided, but the vulnerability has already received a security advisory and is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker who can trick a user into opening a malicious Python file and triggering omni‑completion in a Vim session can execute arbitrary code. If the user runs Vim with a working directory that contains a malicious Python package, the vulnerability is exploitable without additional privileges. This risk is mitigated by the availability of a patch but remains significant until the patch is applied.
OpenCVE Enrichment
Ubuntu USN