SB2026062213 - Command injection in Vim

Description

This security bulletin contains information about 1 vulnerability.

1) Command injection (CVE-ID: N/A)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to command injection in autoload/zip.vim PowerShell helper functions when processing crafted zip archive entry names via the PowerShell fallback. A remote attacker can trick the victim into opening, viewing, or extracting a crafted zip archive to execute arbitrary commands.

The vulnerable code path is reached only when Vim falls back to PowerShell instead of using external zip or unzip tools. User interaction is required to open, view, or extract the crafted archive entry.

Remediation

Install update from vendor's website.

References

• https://github.com/vim/vim/security/advisories/GHSA-x5fg-h5w9-9frf
• https://github.com/vim/vim/commit/b2cc9be119d51212bf0d3f2a99