Impact
The Vim text editor’s zip.vim plugin builds PowerShell browse, read, extract, update, or delete commands by embedding archive entry names into a command string that is only shell‑quoted, not PowerShell‑quoted. A malicious entry name can terminate the intended string and inject arbitrary PowerShell code, allowing an attacker to run commands with the privileges of the user who opens the archive. This results in local command execution that could modify system files, exfiltrate data, or install malware.
Affected Systems
Vim releases from 9.1.1784 through 9.2.0677, inclusive, shipped with the bundled zip.vim plugin in the Vim project are affected. The vulnerability is present only on systems where Vim runs under a user who can open a zip file; it does not affect earlier releases before 9.1.1784 or users who have updated to 9.2.0678 or later.
Risk and Exploitability
The flaw carries a CVSS score of 6.5, indicating moderate severity. The EPSS score of 0.00137 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, implying limited documented exploitation. The exploit requires a local user who can open a crafted zip archive with Vim; it is not remotely exploitable over the network. On systems where untrusted archives may be opened by privileged users, the risk remains significant until the vendor‑supplied patch is applied.
OpenCVE Enrichment
Ubuntu USN