Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.
AnalysisAI
Command injection in Vim 9.x text editor allows local attackers to execute arbitrary shell commands when a user opens specially crafted .tgz archive filenames. The vulnerability exploits insufficient sanitization in the tar#Vimuntar() function's shellescape() call, enabling cmdline-special character expansion. Exploitation requires user interaction (opening the malicious archive) and high attack complexity (filename manipulation), limiting real-world risk despite the command injection class. Fixed in version 9.2.0479 via GitHub commit 3fb5e58f. No evidence of active exploitation or public POC beyond the vendor's test case.
Technical ContextAI
The vulnerability resides in Vim's tar.vim autoload plugin, specifically the tar#Vimuntar() function that handles .tgz archive decompression on Unix-like systems. The function constructs shell commands (!gunzip and !gzip -d) by concatenating user-controlled input (the archive filename) using Vim's shellescape() function without the {special} flag. This omission allows Vim's cmdline-special characters (such as %, #, <cword>) to be expanded before shell execution, enabling command injection through filename manipulation. The fix adds the {special} flag (value 1) to shellescape() calls, preventing cmdline expansion and treating special characters as literal strings. This is a classic example of CWE-78 (OS Command Injection) where insufficient neutralization of special elements occurs in a command construction context. The commit diff shows the minimal two-line change adding the missing sanitization parameter.
RemediationAI
Upgrade to Vim version 9.2.0479 or later, which includes the shellescape sanitization fix from commit 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1. The fix is available through the official Vim GitHub release at https://github.com/vim/vim/releases/tag/v9.2.0479 and should propagate to distribution package managers (apt, yum, brew, ports) within normal update cycles. For environments unable to immediately upgrade, disable the tar.vim plugin by adding 'let g:loaded_tar = 1' to vimrc configuration before any archives are opened-this prevents the vulnerable code from loading but removes archive browsing functionality entirely. As a compensating control, implement filename validation in any scripts or workflows that programmatically open archives in Vim, rejecting filenames containing shell metacharacters (quotes, backticks, dollar signs, semicolons, percent signs). This workaround has the side effect of preventing legitimate use of special characters in archive names. User training to avoid opening archives with suspicious filenames provides defense-in-depth but is not technically enforceable. The patch has no known side effects and maintains backward compatibility with normal archive handling.
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. Rated critical severity (CVSS 9.8), this vuln
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440. Rated high severity (CVSS 8.8), this
{expr} payload embedded in a modeline to be evaluated even when the protective 'modelineexpr' setting is off (the defaul
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via th
vim is vulnerable to Heap-based Buffer Overflow. Rated high severity (CVSS 8.0), this vulnerability is remotely exploita
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847. Rated high severity (CVSS 7.8), this vulnerability i
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. Rated high severity (CVSS 7.8), this vulnerab
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846. Rated high severity (CVSS 7.8), this vuln
Use After Free in GitHub repository vim/vim prior to 9.0.1840. Rated high severity (CVSS 7.8), this vulnerability is no
Use After Free in GitHub repository vim/vim prior to 9.0.1857. Rated high severity (CVSS 7.8), this vulnerability is no
Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833. Rated high severity (CVSS 7.8), this vulnerability
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. Rated high severity (CVSS 7.8), this vuln
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30542