Vim
Monthly
Out-of-bounds read in Vim's built-in terminal emulator (`:terminal` feature) prior to version 9.2.0565 allows a program running inside a `:terminal` window to crash Vim by outputting crafted Unicode combining characters that exhaust all six libvterm cell slots, causing the unguarded loop in `update_snapshot()` to walk past the fixed-size array and append out-of-bounds memory into the scrollback buffer. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog and no public exploit code has been identified, placing this in the lower-urgency tier despite the CVSS 4.0 score of 6.9. Real-world exploitation is constrained by the requirement that a victim be actively using Vim's `:terminal` feature to render attacker-influenced program output.
Vimscript code injection in the netrw plugin shipped with Vim before 9.2.0495 allows attackers who can plant or have a victim browse a maliciously named directory to execute arbitrary Vimscript and shell commands in the user's Vim session. The flaw resides in s:NetrwBookHistSave(), which serializes directory paths into ~/.vim/.netrwhist using unescaped single-quoted string literals, so a directory name containing a single quote breaks out of the literal and is executed the next time Vim sources the history. No public exploit identified at time of analysis, but a proof-of-concept payload is embedded in the upstream regression test (Test_netrw_injection).
Code injection via unsanitized step-definition patterns in Vim's cucumber filetype plugin allows arbitrary Ruby and shell command execution on any Vim build compiled with +ruby support, prior to version 9.2.0496. An attacker who controls .rb step definition files in a repository can craft a regex-terminating payload that escapes a Kernel.eval() argument, enabling full shell access as the victim's user when the developer invokes the [d or ]d step-jump mapping. No public exploit identified at time of analysis, but the patch commit includes a working proof-of-concept demonstrating the injection technique.
Command injection in Vim 9.x text editor allows local attackers to execute arbitrary shell commands when a user opens specially crafted .tgz archive filenames. The vulnerability exploits insufficient sanitization in the tar#Vimuntar() function's shellescape() call, enabling cmdline-special character expansion. Exploitation requires user interaction (opening the malicious archive) and high attack complexity (filename manipulation), limiting real-world risk despite the command injection class. Fixed in version 9.2.0479 via GitHub commit 3fb5e58f. No evidence of active exploitation or public POC beyond the vendor's test case.
Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
Vim 9.2.0315 and earlier contains a command injection vulnerability in the netbeans interface that allows a malicious netbeans server to execute arbitrary Ex commands via unsanitized strings in defineAnnoType and specialKeys protocol messages. An authenticated local attacker with user-level privileges and ability to interact with a netbeans connection can achieve code execution with the privileges of the Vim process. The vulnerability is fixed in Vim 9.2.0316.
Vim 9.2.0279 and earlier contains a path traversal bypass in the zip.vim plugin that allows local attackers with user interaction to overwrite arbitrary files when opening specially crafted zip archives. This vulnerability circumvents a prior fix for CVE-2025-53906, affecting users who process untrusted ZIP files. The vulnerability requires local access and user interaction to trigger, with a CVSS score of 4.1 indicating low to moderate severity; no public exploit code or active exploitation has been identified at the time of analysis.
Arbitrary OS command execution in Vim prior to version 9.2.0276 occurs when users open maliciously crafted files containing modeline directives that bypass sandbox protections. The vulnerability exploits missing security flags on the complete, guitabtooltip, and printheader options, plus an unchecked mapset() function, enabling attackers to escape Vim's modeline sandbox and execute system commands. Publicly available exploit code exists. With EPSS data unavailable and no CISA KEV listing, real-world exploitation risk depends heavily on social engineering success, though the low attack complexity (CVSS AC:L) and no authentication requirement (PR:N) lower the barrier for opportunistic attacks against users who routinely open untrusted files.
command line text editor. From 9.1.0011 to versions up to 9.2.0137 is affected by null pointer dereference (CVSS 5.3).
Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. [CVSS 2.2 LOW]
Vim versions before 9.2.0077 contain heap buffer overflow and segmentation fault vulnerabilities in swap file recovery that can be triggered by opening a specially crafted swap file, affecting users who recover sessions from untrusted sources. An attacker could exploit this to cause application crashes or potentially achieve code execution through memory corruption. A patch is available in version 9.2.0077 and later.
Vim versions prior to 9.2.0076 contain a heap buffer overflow and out-of-bounds read vulnerability in the terminal emulator when handling Unicode combining characters from supplementary planes, allowing a local attacker with user interaction to cause memory corruption and denial of service. The vulnerability requires local access and user interaction to trigger, with no confidentiality impact but potential integrity and availability consequences. A patch is available in version 9.2.0076 and later.
Vim versions prior to 9.2.0075 contain a heap buffer underflow in the tags file parser that triggers when processing malformed tag files with delimiters at line starts, potentially allowing local attackers with user interaction to read out-of-bounds memory and cause information disclosure or crashes. The vulnerability requires local file system access and user interaction to exploit, with a CVSS score of 5.3 indicating medium severity. A patch is available in Vim 9.2.0075 and later versions.
Vim versions prior to 9.2.0074 contain a heap buffer overflow in the Emacs-style tags file parser that allows reading up to 7 bytes of out-of-bounds memory when processing malformed tags files. A local attacker can trigger this vulnerability through a crafted tags file to leak sensitive information from the application's memory. The vulnerability has been patched in version 9.2.0074 and later.
Arbitrary command execution in Vim's netrw plugin prior to version 9.2.0073 allows attackers to execute shell commands with user privileges by crafting malicious URLs (such as scp:// handlers) that users are tricked into opening. The vulnerability requires user interaction but poses a local privilege escalation risk in multi-user environments. A patch is available in Vim 9.2.0073 and later.
Stack buffer overflow in Vim's NetBeans integration allows a malicious NetBeans server to corrupt memory and potentially crash the editor or execute arbitrary code through a specially crafted specialKeys command. The vulnerability affects Vim builds with NetBeans support enabled and requires user interaction to connect to a compromised server. A patch is available in Vim version 9.1.2148 and later.
Heap buffer overflow in Vim's tag file resolution allows local attackers with user privileges to corrupt heap memory and crash the application or potentially execute code by supplying a malicious 'helpfile' option value. The vulnerability exists in the get_tagfname() function which fails to validate the length of user-controlled input before copying it into a fixed-size buffer. Public exploit code exists for this issue affecting Vim prior to version 9.1.2132, though a patch is available.
Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.
Vim is an open source, command line text editor. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Vim is an open source, command line text editor. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Path traversal in Vim's zip.vim plugin prior to version 9.1.1551 allows local attackers to overwrite arbitrary files when a user opens a specially crafted zip archive, potentially enabling arbitrary command execution if sensitive files or privileged locations are targeted. The vulnerability requires direct user interaction (opening a malicious zip file in Vim) and has low real-world impact due to high attack complexity and local attack vector, though publicly available exploit code exists. EPSS exploitation probability is minimal at 0.03% (7th percentile), reflecting the friction imposed by user interaction requirements.
Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity.
Vim is an open source, command line text editor. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Vim is a greatly improved version of the good old UNIX editor Vi. Rated medium severity (CVSS 4.2). This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
A vulnerability classified as problematic was found in vim up to 9.1.1096. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. Public exploit code available.
Vim is an open source, command line text editor. Rated medium severity (CVSS 4.2). This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
Out-of-bounds read in Vim's built-in terminal emulator (`:terminal` feature) prior to version 9.2.0565 allows a program running inside a `:terminal` window to crash Vim by outputting crafted Unicode combining characters that exhaust all six libvterm cell slots, causing the unguarded loop in `update_snapshot()` to walk past the fixed-size array and append out-of-bounds memory into the scrollback buffer. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog and no public exploit code has been identified, placing this in the lower-urgency tier despite the CVSS 4.0 score of 6.9. Real-world exploitation is constrained by the requirement that a victim be actively using Vim's `:terminal` feature to render attacker-influenced program output.
Vimscript code injection in the netrw plugin shipped with Vim before 9.2.0495 allows attackers who can plant or have a victim browse a maliciously named directory to execute arbitrary Vimscript and shell commands in the user's Vim session. The flaw resides in s:NetrwBookHistSave(), which serializes directory paths into ~/.vim/.netrwhist using unescaped single-quoted string literals, so a directory name containing a single quote breaks out of the literal and is executed the next time Vim sources the history. No public exploit identified at time of analysis, but a proof-of-concept payload is embedded in the upstream regression test (Test_netrw_injection).
Code injection via unsanitized step-definition patterns in Vim's cucumber filetype plugin allows arbitrary Ruby and shell command execution on any Vim build compiled with +ruby support, prior to version 9.2.0496. An attacker who controls .rb step definition files in a repository can craft a regex-terminating payload that escapes a Kernel.eval() argument, enabling full shell access as the victim's user when the developer invokes the [d or ]d step-jump mapping. No public exploit identified at time of analysis, but the patch commit includes a working proof-of-concept demonstrating the injection technique.
Command injection in Vim 9.x text editor allows local attackers to execute arbitrary shell commands when a user opens specially crafted .tgz archive filenames. The vulnerability exploits insufficient sanitization in the tar#Vimuntar() function's shellescape() call, enabling cmdline-special character expansion. Exploitation requires user interaction (opening the malicious archive) and high attack complexity (filename manipulation), limiting real-world risk despite the command injection class. Fixed in version 9.2.0479 via GitHub commit 3fb5e58f. No evidence of active exploitation or public POC beyond the vendor's test case.
Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
Vim 9.2.0315 and earlier contains a command injection vulnerability in the netbeans interface that allows a malicious netbeans server to execute arbitrary Ex commands via unsanitized strings in defineAnnoType and specialKeys protocol messages. An authenticated local attacker with user-level privileges and ability to interact with a netbeans connection can achieve code execution with the privileges of the Vim process. The vulnerability is fixed in Vim 9.2.0316.
Vim 9.2.0279 and earlier contains a path traversal bypass in the zip.vim plugin that allows local attackers with user interaction to overwrite arbitrary files when opening specially crafted zip archives. This vulnerability circumvents a prior fix for CVE-2025-53906, affecting users who process untrusted ZIP files. The vulnerability requires local access and user interaction to trigger, with a CVSS score of 4.1 indicating low to moderate severity; no public exploit code or active exploitation has been identified at the time of analysis.
Arbitrary OS command execution in Vim prior to version 9.2.0276 occurs when users open maliciously crafted files containing modeline directives that bypass sandbox protections. The vulnerability exploits missing security flags on the complete, guitabtooltip, and printheader options, plus an unchecked mapset() function, enabling attackers to escape Vim's modeline sandbox and execute system commands. Publicly available exploit code exists. With EPSS data unavailable and no CISA KEV listing, real-world exploitation risk depends heavily on social engineering success, though the low attack complexity (CVSS AC:L) and no authentication requirement (PR:N) lower the barrier for opportunistic attacks against users who routinely open untrusted files.
command line text editor. From 9.1.0011 to versions up to 9.2.0137 is affected by null pointer dereference (CVSS 5.3).
Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. [CVSS 2.2 LOW]
Vim versions before 9.2.0077 contain heap buffer overflow and segmentation fault vulnerabilities in swap file recovery that can be triggered by opening a specially crafted swap file, affecting users who recover sessions from untrusted sources. An attacker could exploit this to cause application crashes or potentially achieve code execution through memory corruption. A patch is available in version 9.2.0077 and later.
Vim versions prior to 9.2.0076 contain a heap buffer overflow and out-of-bounds read vulnerability in the terminal emulator when handling Unicode combining characters from supplementary planes, allowing a local attacker with user interaction to cause memory corruption and denial of service. The vulnerability requires local access and user interaction to trigger, with no confidentiality impact but potential integrity and availability consequences. A patch is available in version 9.2.0076 and later.
Vim versions prior to 9.2.0075 contain a heap buffer underflow in the tags file parser that triggers when processing malformed tag files with delimiters at line starts, potentially allowing local attackers with user interaction to read out-of-bounds memory and cause information disclosure or crashes. The vulnerability requires local file system access and user interaction to exploit, with a CVSS score of 5.3 indicating medium severity. A patch is available in Vim 9.2.0075 and later versions.
Vim versions prior to 9.2.0074 contain a heap buffer overflow in the Emacs-style tags file parser that allows reading up to 7 bytes of out-of-bounds memory when processing malformed tags files. A local attacker can trigger this vulnerability through a crafted tags file to leak sensitive information from the application's memory. The vulnerability has been patched in version 9.2.0074 and later.
Arbitrary command execution in Vim's netrw plugin prior to version 9.2.0073 allows attackers to execute shell commands with user privileges by crafting malicious URLs (such as scp:// handlers) that users are tricked into opening. The vulnerability requires user interaction but poses a local privilege escalation risk in multi-user environments. A patch is available in Vim 9.2.0073 and later.
Stack buffer overflow in Vim's NetBeans integration allows a malicious NetBeans server to corrupt memory and potentially crash the editor or execute arbitrary code through a specially crafted specialKeys command. The vulnerability affects Vim builds with NetBeans support enabled and requires user interaction to connect to a compromised server. A patch is available in Vim version 9.1.2148 and later.
Heap buffer overflow in Vim's tag file resolution allows local attackers with user privileges to corrupt heap memory and crash the application or potentially execute code by supplying a malicious 'helpfile' option value. The vulnerability exists in the get_tagfname() function which fails to validate the length of user-controlled input before copying it into a fixed-size buffer. Public exploit code exists for this issue affecting Vim prior to version 9.1.2132, though a patch is available.
Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.
Vim is an open source, command line text editor. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Vim is an open source, command line text editor. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Path traversal in Vim's zip.vim plugin prior to version 9.1.1551 allows local attackers to overwrite arbitrary files when a user opens a specially crafted zip archive, potentially enabling arbitrary command execution if sensitive files or privileged locations are targeted. The vulnerability requires direct user interaction (opening a malicious zip file in Vim) and has low real-world impact due to high attack complexity and local attack vector, though publicly available exploit code exists. EPSS exploitation probability is minimal at 0.03% (7th percentile), reflecting the friction imposed by user interaction requirements.
Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity.
Vim is an open source, command line text editor. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Vim is a greatly improved version of the good old UNIX editor Vi. Rated medium severity (CVSS 4.2). This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
A vulnerability classified as problematic was found in vim up to 9.1.1096. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. Public exploit code available.
Vim is an open source, command line text editor. Rated medium severity (CVSS 4.2). This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.