OS Command Injection in Vim - CVE-2026-44656
Published: May 4, 2026 / Updated: May 12, 2026
Vulnerability identifier: #VU129539
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-44656
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Vim.org
Affected software:
Vim
Vim
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary shell commands.
The vulnerability exists due to command injection in the :find command-line completion path when processing a file with a modeline that sets the 'path' option to include backtick-enclosed shell commands and the user triggers file name completion. A remote attacker can supply a crafted file to execute arbitrary shell commands.
User interaction is required to open the crafted file and trigger completion, and exploitation via modeline requires the 'modeline' feature to be enabled.
How to mitigate CVE-2026-44656
Install security update from vendor's website.