Vim CVE-2026-41411

| EUVD-2026-25575 MEDIUM
OS Command Injection (CWE-78)
2026-04-24 [email protected]
Command Injection
6.6
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Patch available
Apr 24, 2026 - 18:01 EUVD
Analysis Generated
Apr 24, 2026 - 17:32 vuln.today

DescriptionNVD

Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., command), Vim executes the embedded command via the system shell with the full privileges of the running user.

AnalysisAI

Command injection in Vim's tag file processing allows local attackers to execute arbitrary shell commands with user privileges when resolving tags containing backtick syntax. Versions prior to 9.2.0357 are affected. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-41411 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy