Is Command Injection affected by CVE-2026-34982?

Vim versions prior to 9.2.0276 contain a critical arbitrary command execution vulnerability triggered by malicious file content, allowing attackers to bypass security protections and execute system commands without user authentication.

CVE-2026-34982

EUVD-2026-19313 HIGH

2026-04-06 GitHub_M

8.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 06, 2026 - 15:30 vuln.today

EUVD ID Assigned

Apr 06, 2026 - 15:30 euvd

EUVD-2026-19313

CVE Published

Apr 06, 2026 - 15:16 nvd

HIGH 8.2

Description

Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.

Analysis

Arbitrary OS command execution in Vim prior to version 9.2.0276 occurs when users open maliciously crafted files containing modeline directives that bypass sandbox protections. The vulnerability exploits missing security flags on the complete, guitabtooltip, and printheader options, plus an unchecked mapset() function, enabling attackers to escape Vim's modeline sandbox and execute system commands. …

Remediation

Within 24 hours: Inventory all Vim installations across engineering and operations teams; identify instances running versions prior to 9.2.0276. Within 7 days: Upgrade Vim to version 9.2.0276 or later across all affected systems; prioritize machines with elevated privileges or production access. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +41

POC: 0

CVE-2026-34982 vulnerability details – vuln.today

Back

CVE-2026-34982

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34982

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code