Zero Day MonitorZDM

← Back to list

5.6

CVE-2026-33412PATCHED

vim · vim

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

Description

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.0202

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ibm	qradar siem	cert_advisory	90%
open source	vim	cert_advisory	90%
red hat	red hat enterprise linux	cert_advisory	90%

References

Related News (4 articles)

Tier B

BSI Advisories4d ago

[NEU] [hoch] IBM QRadar SIEM: Mehrere Schwachstellen

→ No new info (linked only)

Tier B

BSI Advisories53d ago

[UPDATE] [mittel] vim: Schwachstelle ermöglicht Codeausführung

→ No new info (linked only)

Tier A

Microsoft MSRC64d ago

CVE-2026-33412 Vim affected by Command injection via newline in glob()

→ No new info (linked only)

Tier B

CERT-FR65d ago

Multiples vulnérabilités dans les produits Microsoft (26 mars 2026)

→ No new info (linked only)

CVSS 3.15.6 MEDIUM

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

9.2.0202

CWECWE-78

PublishedMar 24, 2026

Last enriched59d ago

Trending Score23

Source articles4

Independent3

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMPRE-CVEEXP

Arbitrary Code Execution via Python Omni-Completion in Vim < 9.2.561

HIGHCVE-2026-34982

Vim modeline bypass via various options affects Vim < 9.2.0276

LOWCVE-2026-46483EXP

Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag

MEDIUMCVE-2026-45130EXP

Vim: Heap Buffer Overflow in spell file loading

CRITICALCVE-2026-44656EXP

Vim: OS Command Injection via 'path' completion

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 24, 2026

Patch Available

Mar 25, 2026

Discovered by ZDM

Apr 1, 2026