Skip to main content

Vim CVE-2026-59858

HIGH
Code Injection (CWE-94)
2026-07-09 GitHub_M
8.4
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local because the victim must open a malicious file (AV:L) and actively invoke completion (UI:R); no privileges needed (PR:N), and the injected command runs as the user yielding full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 23:20 vuln.today

DescriptionCVE.org

Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.

AnalysisAI

Arbitrary Ex command execution in Vim before 9.2.0735 arises from its C omni-completion script (runtime/autoload/ccomplete.vim), which interpolates the unescaped typeref: or typename: field of a tags entry into a :vimgrep pattern passed to :execute. Because :vimgrep treats the bar character as a command separator, a crafted tag field can terminate the search pattern and append an attacker-controlled command that runs with the privileges of the editing user when a victim opens a malicious .c file and triggers C omni-completion. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft tags file with Ex command in typeref field
Delivery
Distribute malicious C project to victim
Exploit
Victim opens .c file and runs C omni-completion
Execution
ccomplete.vim injects field into :execute'd :vimgrep
Impact
Arbitrary Ex command runs as editing user

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim open a .c file from an attacker-controlled project whose accompanying ctags tags file contains a crafted entry with a malicious typeref: or typename: extension field, AND that the victim invoke Vim's C omni-completion (Ctrl-X Ctrl-O) on a symbol resolved through that entry; only Vim versions prior to 9.2.0735 are affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, score 8.4) is internally consistent with the description: exploitation is local (the victim must open a file), requires no privileges, but does require active user interaction (opening the hostile .c file and invoking C omni-completion). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a seemingly legitimate C project (for example on a public repository) that includes a tags file whose typeref: or typename: field contains a bar followed by an Ex command such as one that spawns a shell. A developer clones the project, opens one of its .c files in a vulnerable Vim, and presses Ctrl-X Ctrl-O to complete a symbol, at which point the injected Ex command executes with the developer's privileges. …
Remediation Vendor-released patch: upgrade to Vim 9.2.0735 or later, which escapes the tag field before it is placed into the :vimgrep pattern (see advisory GHSA-mf92-v4xw-j45x at https://github.com/vim/vim/security/advisories/GHSA-mf92-v4xw-j45x and commit 6b611b0d15603c52ebdad17172b0232b4f65704e). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Alert C/C++ development teams to disable C omni-completion (add 'set omnifunc=' to .vimrc) and avoid opening .c files from untrusted sources; audit for Vim versions before 9.2.0735 in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Vim

View all
CVE-2022-3520 CRITICAL POC
9.8 Dec 02

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. Rated critical severity (CVSS 9.8), this vuln

CVE-2022-0729 HIGH POC
8.8 Feb 23

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440. Rated high severity (CVSS 8.8), this

CVE-2026-34714 HIGH POC
8.6 Mar 30

{expr} payload embedded in a modeline to be evaluated even when the protective 'modelineexpr' setting is off (the defaul

CVE-2019-12735 HIGH POC
8.6 Jun 05

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via th

CVE-2021-3968 HIGH POC
8.0 Nov 19

vim is vulnerable to Heap-based Buffer Overflow. Rated high severity (CVSS 8.0), this vulnerability is remotely exploita

CVE-2023-4735 HIGH POC
7.8 Sep 02

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-4781 HIGH POC
7.8 Sep 05

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. Rated high severity (CVSS 7.8), this vulnerab

CVE-2023-4734 HIGH POC
7.8 Sep 02

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846. Rated high severity (CVSS 7.8), this vuln

CVE-2023-4733 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1840. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4750 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1857. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4736 HIGH POC
7.8 Sep 02

Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833. Rated high severity (CVSS 7.8), this vulnerability

CVE-2023-2610 HIGH POC
7.8 May 09

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. Rated high severity (CVSS 7.8), this vuln

Share

CVE-2026-59858 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy