Zero Day MonitorZDM

← Back to list

4.4

CVE-2026-28417PATCHED

vim · vim

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a c

Description

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.0073

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
canonical	ubuntu linux	cert_advisory	90%
fedora	fedora linux	cert_advisory	90%
open source	vim	cert_advisory	90%
su	suse linux	cert_advisory	90%
su	suse opensuse	cert_advisory	90%

References

https://github.com/vim/vim/commit/79348dbbc09332130f4c860(Patch)
https://github.com/vim/vim/releases/tag/v9.2.0073(Release Notes)
https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336(Patch, Vendor Advisory)
http://www.openwall.com/lists/oss-security/2026/02/27/6(Mailing List, Patch, Third Party Advisory)

Related News (1 articles)

Tier B

BSI Advisories2d ago

[UPDATE] [mittel] vim: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.14.4 MEDIUM

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

9.2.0073

CWECWE-86, CWE-78

PublishedFeb 27, 2026

Last enriched7h ago

Trending Score15

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-34714

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

MEDIUMCVE-2026-25749

Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vu

MEDIUMCVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

MEDIUMCVE-2026-28420

Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combin

MEDIUMCVE-2026-28421

Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unva

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Feb 27, 2026

Patch Available

Mar 3, 2026

Discovered by ZDM

Apr 1, 2026