Impact
Vim includes a netrw plugin for browsing local files. In versions before 9.2.0663, the NetrwLocalRmFile() function builds an Ex command that incorporates the filename from the directory listing without properly escaping special characters. A crafted filename that contains a pipe character can terminate the intended delete command and cause Vim to execute arbitrary Vimscript, including system‑level shell commands via :call system() or :!. This flaw allows an attacker with local access to a running instance of Vim to execute arbitrary Vimscript and potentially shell commands, resulting in full compromise of the host system. The injected commands run with the privileges of the Vim process, so if a privileged user operates Vim, the attacker can gain elevated access.
Affected Systems
Vim, the open‑source command line text editor, is affected. All releases prior to version 9.2.0663 are vulnerable. The upstream Vim project has released a fix in v9.2.0663. Users of older Vim builds that still load the standard netrw plugin are susceptible.
Risk and Exploitability
The CVSS base score of 5.7 indicates a moderate risk. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires local interaction with the netrw file browser and the ability to supply a crafted filename that contains special characters. The attack vector is therefore limited to users who can invoke a vulnerable Vim instance. For unattended or insecure installations, the risk would be moderate to high, especially if privileged users run Vim.
OpenCVE Enrichment
Ubuntu USN