SB2026061855 - Code Injection in Vim



SB2026061855 - Code Injection in Vim

Published: June 18, 2026

Security Bulletin ID SB2026061855
CSH Severity
High
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Code Injection (CVE-ID: CVE-2026-55895)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in s:NetrwLocalRmFile() in the netrw plugin when deleting a local file from the browser using a crafted filename from the directory listing. A remote attacker can place a file with a crafted name containing Ex command separators and trick the victim into deleting that entry to execute arbitrary code.

User interaction is required to delete the specific crafted file entry, and exploitation is limited to environments where filenames may contain the bar character.


Remediation

Install update from vendor's website.