Description
Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
Published: 2026-06-25
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from how Vim's Python omni-completion reconstructs function and class definitions from the current buffer and passes them to exec(). Each docstring is inserted unchanged between triple quotes, with no escaping. A malicious buffer can therefore break out of the string literal and inject arbitrary Python code, which is executed during completion. The flaw is a code injection vulnerability (CWE‑94) that grants arbitrary code execution within the Vim process.

Affected Systems

Ongoing Vim releases up through 9.2.0698, and earlier 9.1.x and 9.0.x versions, are affected. The problem is present in the autoload files python3complete.vim and pythoncomplete.vim, part of the default Vim runtime. All users running Vim with Python omni‑completion enabled are vulnerable unless they upgrade to version 9.2.0699 or later.

Risk and Exploitability

The CVSS score of 8.4 classifies this flaw as high severity, and while EPSS data is not available, the lack of a KEV listing does not reduce the risk of exploitation. An attacker who can influence the contents of a buffer that Vim will process for omnocompletion can trigger arbitrary code execution locally. The attack vector is likely local, but could be leveraged by an attacker who gains elevated privileges to run Vim as a privileged user.

Generated by OpenCVE AI on June 25, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to 9.2.0699 or later to contain the fix.
  • If an upgrade is not immediately possible, disable the vulnerable python3complete.vim and pythoncomplete.vim autoload files by removing them from your runtime/autoload directory or commenting out their loading in your vimrc.
  • Avoid running Vim with Python omni‑completion enabled in environments where untrusted buffers may be opened, and restrict the use of Vim to non‑privileged users whenever possible.

Generated by OpenCVE AI on June 25, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
Title Vim: Arbitrary Code Execution via Python Omni-Completion Docstrings
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:55:53.888Z

Reserved: 2026-06-24T13:21:20.731Z

Link: CVE-2026-57456

cve-icon Vulnrichment

Updated: 2026-06-25T17:41:40.680Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:45:15Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')