Skip to main content

Vim EUVD-2026-19426

| CVE-2026-35177 MEDIUM
Path Traversal (CWE-22)
2026-04-06 security-advisories@github.com
Path Traversal Vim
4.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.1 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
SUSE
MEDIUM
qualitative
Red Hat
4.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
9.2.0280
EUVD ID Assigned
Apr 06, 2026 - 18:22 euvd
EUVD-2026-19426
Analysis Generated
Apr 06, 2026 - 18:22 vuln.today
CVE Published
Apr 06, 2026 - 18:16 nvd
MEDIUM 4.1

DescriptionGitHub Advisory

Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.

AnalysisAI

Vim 9.2.0279 and earlier contains a path traversal bypass in the zip.vim plugin that allows local attackers with user interaction to overwrite arbitrary files when opening specially crafted zip archives. This vulnerability circumvents a prior fix for CVE-2025-53906, affecting users who process untrusted ZIP files. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS vector (AV:L/AC:H/PR:N/UI:R/S:C) indicates this is a local-only attack requiring high complexity and user interaction (opening a crafted ZIP file), which substantially limits real-world exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker creates a specially crafted ZIP archive containing files with path traversal sequences designed to bypass Vim's directory restrictions (for example, entries that extract to '../../../etc/vim/vimrc' or similar locations). The attacker distributes this archive to a target user (via email, file sharing, or other means). …
Remediation Vendor-released patch: Vim 9.2.0280. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47162 HIGH
7.3 Jun 11

Vimscript code injection in the netrw plugin shipped with Vim before 9.2.0495 allows attackers who can plant or have a v
CVE-2026-52859 MEDIUM
6.9 Jun 11

Out-of-bounds read in Vim's built-in terminal emulator (`:terminal` feature) prior to version 9.2.0565 allows a program

CVE-2026-47167 MEDIUM
5.1 Jun 11

Code injection via unsanitized step-definition patterns in Vim's cucumber filetype plugin allows arbitrary Ruby and shel

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

EUVD-2026-19426 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy