Main Vulnerability Database Vulnerabilities #VU125037

OS Command Injection in Vim - CVE-2026-34982

Published: April 7, 2026

Vulnerability identifier: #VU125037

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-34982

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Vim.org

Affected software:
Vim

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary OS commands.

The vulnerability exists due to improper neutralization of special elements used in an OS command in modeline processing for the complete, guitabtooltip, and printheader options and the mapset() function when opening a crafted file. A remote attacker can deliver a specially crafted file to execute arbitrary OS commands.

User interaction is required to open a crafted file.

How to mitigate CVE-2026-34982

Install security update from vendor's website.

Sources

https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9

OS Command Injection in Vim - CVE-2026-34982

Detailed vulnerability description

How to mitigate CVE-2026-34982

Sources

Please verify you're human