CVE-2026-39881 | THREATINT

Description

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

PUBLISHED Reserved 2026-04-07 | Published 2026-04-08 | Updated 2026-04-09 | Assigner GitHub_M

MEDIUM: 5.0CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 9.2.0316

affected

References

github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6

github.com/vim/vim/commit/7ab76a86048ed492374ac6b19

github.com/vim/vim/releases/tag/v9.2.0316

cve.org (CVE-2026-39881)

nvd.nist.gov (CVE-2026-39881)

Download JSON