EUVD-2026-17160
GHSA-mfxw-q267-mgp6
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
4Tags
Description
Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.
Analysis
Remote code execution in Vim versions before 9.2.0272 executes arbitrary commands immediately upon opening a malicious file through %{expr} injection in tabpanel components lacking the P_MLE flag. This unauthenticated local attack requires no user interaction beyond opening the file, with CVSS 9.2 (Critical) reflecting scope change and high confidentiality/integrity impact. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Vim installations and identify versions prior to 9.2.0272; communicate critical patch availability to users and restrict opening untrusted files pending update. Within 7 days: Deploy Vim 9.2.0272 or later across all endpoints via patch management; verify completion across development, administrative, and user workstations. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 2:8.2.2434-3+deb11u1 | - |
| bullseye (security) | vulnerable | 2:8.2.2434-3+deb11u3 | - |
| bookworm | vulnerable | 2:9.0.1378-2+deb12u2 | - |
| trixie | vulnerable | 2:9.1.1230-2 | - |
| forky, sid | vulnerable | 2:9.2.0218-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today