Description
Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
Published: 2026-06-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vim, the widely used command‑line editor, contains a flaw in its Python omni‑completion feature. The feature executes import and from statements found in the current buffer through Python's standard import machinery. Because the buffer's directory is automatically added to sys.path, a hostile .py file located next to a Python package can cause the package’s top‑level code to run with the user’s privileges. This leads to arbitrary code execution, as arbitrary scripts can be executed without the user’s explicit request. The weakness is reflected in the CWE list (CWE‑829, CWE‑94, CWE‑95).

Affected Systems

Products affected are Vim builds that support the +python3 interpreter (or +python for older builds). All releases prior to 9.2.0561 contain the vulnerability. The patch is available in 9.2.0561 and later versions.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity. The EPSS score is not provided, but the vulnerability has already received a security advisory and is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker who can trick a user into opening a malicious Python file and triggering omni‑completion in a Vim session can execute arbitrary code. If the user runs Vim with a working directory that contains a malicious Python package, the vulnerability is exploitable without additional privileges. This risk is mitigated by the availability of a patch but remains significant until the patch is applied.

Generated by OpenCVE AI on June 11, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0561 or newer to apply the vendor patch.
  • If an upgrade is not immediately possible, remove or rename the Python omni‑completion script (python3complete.vim) from Vim’s runtime path so that the feature cannot be invoked.
  • Avoid opening untrusted Python files while Omni‑completion is enabled, or run Vim in a clean working directory that does not contain untrusted packages and ensure that the working directory is not on sys.path during execution.

Generated by OpenCVE AI on June 11, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8451-1 Vim vulnerabilities
History

Mon, 15 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Fri, 12 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
Title Vim: Arbitrary Code Execution via Python Omni-Completion
Weaknesses CWE-829
CWE-94
CWE-95
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T12:48:03.075Z

Reserved: 2026-06-08T18:41:27.724Z

Link: CVE-2026-52858

cve-icon Vulnrichment

Updated: 2026-06-12T12:48:00.092Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T19:16:47.487

Modified: 2026-06-15T13:32:35.193

Link: CVE-2026-52858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:30:09Z

Weaknesses
  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')

  • CWE-95

    Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')