Is Command Injection affected by CVE-2026-33412?

Organizations using Vim should be aware of moderate risk from CVE-2026-33412, a OS command injection vulnerability rated CVSS 5.6. Exploitation could allow attackers to execute code or inject malicious input. Organizations should apply vendor updates when available and monitor for exploitation.

CVE-2026-33412

EUVD-2026-14998 MEDIUM

2026-03-24 GitHub_M

5.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 24, 2026 - 20:00 vuln.today

EUVD ID Assigned

Mar 24, 2026 - 20:00 euvd

EUVD-2026-14998

CVE Published

Mar 24, 2026 - 19:43 nvd

MEDIUM 5.6

Description

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Analysis

Vim versions prior to 9.2.0202 contain a command injection vulnerability in the glob() function on Unix-like systems that allows local attackers with limited privileges to execute arbitrary shell commands by embedding newline characters in glob patterns. The vulnerability's impact depends on the user's shell configuration setting, and while it requires local access and user interaction, it can result in unauthorized code execution with the privileges of the Vim process.

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +28

POC: 0

Vendor Status

Ubuntu

Priority: Medium

vim

Release	Status	Version
trusty	needs-triage	-
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
questing	needs-triage	-
upstream	needs-triage	-

Debian

Bug #1131450

vim

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	2:8.2.2434-3+deb11u1	-
bullseye (security)	vulnerable	2:8.2.2434-3+deb11u3	-
bookworm	vulnerable	2:9.0.1378-2+deb12u2	-
trixie	vulnerable	2:9.1.1230-2	-
forky	vulnerable	2:9.1.2141-1	-
sid	fixed	2:9.2.0218-1	-
(unstable)	fixed	2:9.2.0218-1	-

CVE-2026-33412 vulnerability details – vuln.today

Back

CVE-2026-33412

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2026-33412

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code