Main Vulnerability Database Vulnerabilities #VU126870

OS Command Injection in Vim - CVE-2026-41411

Published: April 22, 2026

Vulnerability identifier: #VU126870

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-41411

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Vim.org

Affected software:
Vim

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary shell commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in tag file processing when resolving tag filenames from a tags file. A remote attacker can place a specially crafted tags file entry containing backtick syntax and trigger tag navigation to execute arbitrary shell commands.

User interaction is required to perform tag navigation such as :tag, Ctrl-], or vim -t after opening Vim in a directory containing a malicious tags file.

How to mitigate CVE-2026-41411

Install security update from vendor's website.

Sources

https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8

OS Command Injection in Vim - CVE-2026-41411

Detailed vulnerability description

How to mitigate CVE-2026-41411

Sources

Please verify you're human