Skip to main content

Vim netrw CVE-2026-47162

| EUVD-2026-36281 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-11 GitHub_M
RCE Vim
7.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.0 HIGH

Trigger is a filesystem directory name (AV:L) the attacker need not own (PR:N), but the victim must browse it with netrw and re-source history (UI:R, AC:H); full user-context RCE gives C/I/A:H.

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
Jun 11, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 11, 2026 - 19:20 vuln.today
Analysis Generated
Jun 11, 2026 - 19:20 vuln.today

DescriptionCVE.org

Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.

AnalysisAI

Vimscript code injection in the netrw plugin shipped with Vim before 9.2.0495 allows attackers who can plant or have a victim browse a maliciously named directory to execute arbitrary Vimscript and shell commands in the user's Vim session. The flaw resides in s:NetrwBookHistSave(), which serializes directory paths into ~/.vim/.netrwhist using unescaped single-quoted string literals, so a directory name containing a single quote breaks out of the literal and is executed the next time Vim sources the history. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Plant directory with quoted Vimscript payload
Delivery
Victim browses path in netrw
Exploit
NetrwBookHistSave writes unescaped name to ~/.vim/.netrwhist
Execution
Victim restarts Vim and sources history
Persist
Injected Vimscript executes via system()/:!
Impact
Attacker code runs as the user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the victim to be running Vim earlier than 9.2.0495 with the bundled netrw plugin loaded (default in most distributions), (2) the attacker to be able to place a directory whose name contains a single quote plus Vimscript payload on a filesystem the victim will browse - local disk, archive extraction, shared mount, repository checkout, or similar, (3) the victim to navigate into or bookmark that directory using netrw such that s:NetrwBookHistSave() runs and writes ~/.vim/.netrwhist, and (4) the victim to start a subsequent Vim session that sources the history file (default behavior when g:netrw_dirhistmax > 0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score is 7.3 (High) with AT:P, PR:L and UI:A, signalling that exploitation depends on a specific attack precondition (the crafted directory existing on the filesystem) and on active victim interaction (browsing it with netrw such that bookmark/history save fires, then re-launching Vim). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker plants a directory whose name contains a crafted single-quote-escaping Vimscript payload - for example via a tarball, git repository, shared network mount, or a writable team directory. When the victim later opens that location with netrw (e.g., :Explore or :edit on the parent) and netrw serializes the visit into ~/.vim/.netrwhist, the malicious name is written unescaped; the next Vim launch sources the history file and executes the injected Vimscript, which can shell out via system() or :! …
Remediation Vendor-released patch: Vim 9.2.0495 - upgrade Vim (or the netrw runtime files) to this version or later, per the advisory at https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c and the tagged release https://github.com/vim/vim/releases/tag/v9.2.0495. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Vim installations and document which users have netrw plugin active. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-52859 MEDIUM
6.9 Jun 11

Out-of-bounds read in Vim's built-in terminal emulator (`:terminal` feature) prior to version 9.2.0565 allows a program

CVE-2026-47167 MEDIUM
5.1 Jun 11

Code injection via unsanitized step-definition patterns in Vim's cucumber filetype plugin allows arbitrary Ruby and shel

Share

CVE-2026-47162 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy