CVE-2026-42307 | THREATINT

Description

Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M

MEDIUM: 4.4CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

< 9.2.0383

affected

References

github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx

github.com/...ommit/405e2fb6d54d5653523809e2853d99d1c000a5fc

github.com/vim/vim/releases/tag/v9.2.0383

cve.org (CVE-2026-42307)

nvd.nist.gov (CVE-2026-42307)

Download JSON