Code Injection in Vim - CVE-2026-55895
Published: June 18, 2026
Vulnerability identifier: #VU134882
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-55895
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Vim.org
Affected software:
Vim
Vim
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of code generation in s:NetrwLocalRmFile() in the netrw plugin when deleting a local file from the browser using a crafted filename from the directory listing. A remote attacker can place a file with a crafted name containing Ex command separators and trick the victim into deleting that entry to execute arbitrary code.
User interaction is required to delete the specific crafted file entry, and exploitation is limited to environments where filenames may contain the bar character.
How to mitigate CVE-2026-55895
Install security update from vendor's website.