Skip to main content

Vim CVE-2026-46483

| EUVDEUVD-2026-30542 LOW
OS Command Injection (CWE-78)
2026-05-15 security-advisories@github.com
3.6
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.6 LOW
AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
May 15, 2026 - 16:01 EUVD
Source Code Evidence Fetched
May 15, 2026 - 15:30 vuln.today
Analysis Generated
May 15, 2026 - 15:30 vuln.today

DescriptionGitHub Advisory

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

AnalysisAI

Command injection in Vim 9.x text editor allows local attackers to execute arbitrary shell commands when a user opens specially crafted .tgz archive filenames. The vulnerability exploits insufficient sanitization in the tar#Vimuntar() function's shellescape() call, enabling cmdline-special character expansion. Exploitation requires user interaction (opening the malicious archive) and high attack complexity (filename manipulation), limiting real-world risk despite the command injection class. Fixed in version 9.2.0479 via GitHub commit 3fb5e58f. No evidence of active exploitation or public POC beyond the vendor's test case.

Technical ContextAI

The vulnerability resides in Vim's tar.vim autoload plugin, specifically the tar#Vimuntar() function that handles .tgz archive decompression on Unix-like systems. The function constructs shell commands (!gunzip and !gzip -d) by concatenating user-controlled input (the archive filename) using Vim's shellescape() function without the {special} flag. This omission allows Vim's cmdline-special characters (such as %, #, <cword>) to be expanded before shell execution, enabling command injection through filename manipulation. The fix adds the {special} flag (value 1) to shellescape() calls, preventing cmdline expansion and treating special characters as literal strings. This is a classic example of CWE-78 (OS Command Injection) where insufficient neutralization of special elements occurs in a command construction context. The commit diff shows the minimal two-line change adding the missing sanitization parameter.

RemediationAI

Upgrade to Vim version 9.2.0479 or later, which includes the shellescape sanitization fix from commit 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1. The fix is available through the official Vim GitHub release at https://github.com/vim/vim/releases/tag/v9.2.0479 and should propagate to distribution package managers (apt, yum, brew, ports) within normal update cycles. For environments unable to immediately upgrade, disable the tar.vim plugin by adding 'let g:loaded_tar = 1' to vimrc configuration before any archives are opened-this prevents the vulnerable code from loading but removes archive browsing functionality entirely. As a compensating control, implement filename validation in any scripts or workflows that programmatically open archives in Vim, rejecting filenames containing shell metacharacters (quotes, backticks, dollar signs, semicolons, percent signs). This workaround has the side effect of preventing legitimate use of special characters in archive names. User training to avoid opening archives with suspicious filenames provides defense-in-depth but is not technically enforceable. The patch has no known side effects and maintains backward compatibility with normal archive handling.

More in Vim

View all
CVE-2022-3520 CRITICAL POC
9.8 Dec 02

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. Rated critical severity (CVSS 9.8), this vuln

CVE-2022-0729 HIGH POC
8.8 Feb 23

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440. Rated high severity (CVSS 8.8), this

CVE-2026-34714 HIGH POC
8.6 Mar 30

{expr} payload embedded in a modeline to be evaluated even when the protective 'modelineexpr' setting is off (the defaul

CVE-2019-12735 HIGH POC
8.6 Jun 05

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via th

CVE-2021-3968 HIGH POC
8.0 Nov 19

vim is vulnerable to Heap-based Buffer Overflow. Rated high severity (CVSS 8.0), this vulnerability is remotely exploita

CVE-2023-4735 HIGH POC
7.8 Sep 02

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-4781 HIGH POC
7.8 Sep 05

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. Rated high severity (CVSS 7.8), this vulnerab

CVE-2023-4734 HIGH POC
7.8 Sep 02

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846. Rated high severity (CVSS 7.8), this vuln

CVE-2023-4733 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1840. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4750 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1857. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4736 HIGH POC
7.8 Sep 02

Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833. Rated high severity (CVSS 7.8), this vulnerability

CVE-2023-2610 HIGH POC
7.8 May 09

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. Rated high severity (CVSS 7.8), this vuln

Share

CVE-2026-46483 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy