Main Vulnerability Database Vulnerabilities #VU125037

#VU125037 OS Command Injection in Vim - CVE-2026-34982

Published: April 7, 2026

Vulnerability identifier: #VU125037

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-34982

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vim

Software vendor:
Vim.org

Description

The vulnerability allows a remote attacker to execute arbitrary OS commands.

The vulnerability exists due to improper neutralization of special elements used in an OS command in modeline processing for the complete, guitabtooltip, and printheader options and the mapset() function when opening a crafted file. A remote attacker can deliver a specially crafted file to execute arbitrary OS commands.

User interaction is required to open a crafted file.

Remediation

Install security update from vendor's website.

External links

https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9

#VU125037 OS Command Injection in Vim - CVE-2026-34982

Description

Remediation

External links

Please verify you're human