Neovim
Monthly
Command injection in Neovim up to version 0.12.2 allows a local attacker with low privileges to execute arbitrary Vim commands by crafting a file with a malicious name containing pipe (`|`) or other Vim Ex command separators. The vulnerable code path is the `M.read` function in `runtime/lua/vim/secure.lua`, which concatenates an unsanitized file path directly into a `vim.cmd('sview ...')` call when a user selects the 'View' action in Neovim's security trust prompt. This CVE is not listed in CISA KEV, indicating no confirmed widespread active exploitation; however, a publicly available proof-of-concept exploit exists (GitHub issue #39914) and an official patch has been released (commit f83e0dcaf8cf18de94828341b0a1a61a86c75baf via PR #39918).
Command injection in Neovim up to version 0.12.2 allows a local attacker with low privileges to execute arbitrary Vim commands by crafting a file with a malicious name containing pipe (`|`) or other Vim Ex command separators. The vulnerable code path is the `M.read` function in `runtime/lua/vim/secure.lua`, which concatenates an unsanitized file path directly into a `vim.cmd('sview ...')` call when a user selects the 'View' action in Neovim's security trust prompt. This CVE is not listed in CISA KEV, indicating no confirmed widespread active exploitation; however, a publicly available proof-of-concept exploit exists (GitHub issue #39914) and an official patch has been released (commit f83e0dcaf8cf18de94828341b0a1a61a86c75baf via PR #39918).