SB2026061855 - Code Injection in Vim
Published: June 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Code Injection (CVE-ID: CVE-2026-55895)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of code generation in s:NetrwLocalRmFile() in the netrw plugin when deleting a local file from the browser using a crafted filename from the directory listing. A remote attacker can place a file with a crafted name containing Ex command separators and trick the victim into deleting that entry to execute arbitrary code.
User interaction is required to delete the specific crafted file entry, and exploitation is limited to environments where filenames may contain the bar character.
Remediation
Install update from vendor's website.