Zero Day MonitorZDM

← Back to list

5.6

CVE-2026-33412PATCHED

vim · vim

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

Description

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.0202

References

https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a(Patch)
https://github.com/vim/vim/releases/tag/v9.2.0202(Product)
https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c(Patch, Vendor Advisory)
http://www.openwall.com/lists/oss-security/2026/03/19/10(Mailing List, Patch, Third Party Advisory)

Related News (2 articles)

Tier A

Microsoft MSRC5d ago

CVE-2026-33412 Vim affected by Command injection via newline in glob()

→ No new info (linked only)

Tier B

CERT-FR7d ago

Multiples vulnérabilités dans les produits Microsoft (26 mars 2026)

→ No new info (linked only)

CVSS 3.15.6 MEDIUM

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

9.2.0202

CWECWE-78

PublishedMar 24, 2026

Last enriched7h ago

Trending Score17

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-34714

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

MEDIUMCVE-2026-25749

Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vu

MEDIUMCVE-2026-28420

Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combin

MEDIUMCVE-2026-28421

Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unva

MEDIUMCVE-2026-28418

Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malfo

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 24, 2026

Patch Available

Mar 25, 2026

Discovered by ZDM

Apr 1, 2026