Skip to main content

Vim CVE-2026-41411

| EUVDEUVD-2026-25575 MEDIUM
OS Command Injection (CWE-78)
2026-04-24 security-advisories@github.com
6.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.6 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
SUSE
MEDIUM
qualitative
Red Hat
7.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 13:39 nvd
Patch available
Patch available
Apr 24, 2026 - 18:01 EUVD
Analysis Generated
Apr 24, 2026 - 17:32 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 17:22 euvd
EUVD-2026-25575
Analysis Generated
Apr 24, 2026 - 17:22 vuln.today
CVE Published
Apr 24, 2026 - 17:16 nvd
MEDIUM 6.6

DescriptionGitHub Advisory

Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., command), Vim executes the embedded command via the system shell with the full privileges of the running user.

AnalysisAI

Command injection in Vim's tag file processing allows local attackers to execute arbitrary shell commands with user privileges when resolving tags containing backtick syntax. Versions prior to 9.2.0357 are affected. The vulnerability requires user interaction (opening a crafted tags file or navigating to a tag), but once triggered, grants full command execution capability in the context of the Vim process.

Technical ContextAI

Vim's tag resolution mechanism processes tag files to navigate code definitions. The vulnerability resides in the filename field parsing logic, where wildcard expansion is applied to resolve environment variables and glob patterns. When this expansion encounters backtick syntax (command substitution, a shell metacharacter), the embedded command is executed via system shell invocation rather than being treated as literal filename text. This occurs during tag lookup when users press Ctrl-] or similar tag-jump commands. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) identifies the root cause: insufficient input validation and sanitization before shell command construction.

RemediationAI

Upgrade to Vim 9.2.0357 or later from https://github.com/vim/vim/releases/tag/v9.2.0357. Patch details are available in the security advisory at https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8. As an interim compensating control, users should audit tags files for backtick syntax (command substitution patterns) before opening or navigating tags, particularly from untrusted sources or public repositories. Additionally, restricting write access to tags files to trusted users and scanning version control systems for malicious tags entries can reduce attack surface. Note that disabling tag functionality entirely (via setting 'tags=' to empty) eliminates the vulnerability but removes tag-jump convenience features.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-41411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy