SB2026050476 - OS Command Injection in Vim

Description

This security bulletin contains information about 1 vulnerability.

1) OS Command Injection (CVE-ID: CVE-2026-44656)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary shell commands.

The vulnerability exists due to command injection in the :find command-line completion path when processing a file with a modeline that sets the 'path' option to include backtick-enclosed shell commands and the user triggers file name completion. A remote attacker can supply a crafted file to execute arbitrary shell commands.

User interaction is required to open the crafted file and trigger completion, and exploitation via modeline requires the 'modeline' feature to be enabled.

Remediation

Install update from vendor's website.

References

• https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg
• https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0