Main Vulnerability Database SB2025120309

SB2025120309 - Remote code execution in Vim for Windows

Published: December 3, 2025

Security Bulletin ID SB2025120309

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Untrusted search path (CVE-ID: CVE-2025-66476)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to usage of an untrusted search path in Vim on Windows. A remote attacker can trick the victim into opening a specially crafted file with the editor and execute arbitrary OS commands on the system.

Remediation

Install update from vendor's website.

References

https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834