Description
Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Vim text editor’s zip.vim plugin builds PowerShell browse, read, extract, update, or delete commands by embedding archive entry names into a command string that is only shell‑quoted, not PowerShell‑quoted. A malicious entry name can terminate the intended string and inject arbitrary PowerShell code, allowing an attacker to run commands with the privileges of the user who opens the archive. This results in local command execution that could modify system files, exfiltrate data, or install malware.

Affected Systems

Vim releases from 9.1.1784 through 9.2.0677, inclusive, shipped with the bundled zip.vim plugin in the Vim project are affected. The vulnerability is present only on systems where Vim runs under a user who can open a zip file; it does not affect earlier releases before 9.1.1784 or users who have updated to 9.2.0678 or later.

Risk and Exploitability

The flaw carries a CVSS score of 6.5, indicating moderate severity. The EPSS score of 0.00137 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, implying limited documented exploitation. The exploit requires a local user who can open a crafted zip archive with Vim; it is not remotely exploitable over the network. On systems where untrusted archives may be opened by privileged users, the risk remains significant until the vendor‑supplied patch is applied.

Generated by OpenCVE AI on June 28, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0678 or a later release that contains the security fix.
  • Discontinue use of the zip.vim plugin in environments that handle untrusted archives, or configure Vim to ignore zip files until the patch is applied.
  • Run Vim under the lowest‑privilege user account possible, especially in shared or multi‑user settings, to limit the potential impact of any command execution.

Generated by OpenCVE AI on June 28, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8500-1 Vim vulnerabilities
History

Sun, 28 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
Title Vim: PowerShell Command Injection via Unescaped Filename in zip.vim Extraction
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T16:01:15.560Z

Reserved: 2026-06-24T13:21:20.730Z

Link: CVE-2026-57453

cve-icon Vulnrichment

Updated: 2026-06-26T15:57:04.006Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T15:26:48Z

Links: CVE-2026-57453 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:15:05Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')