Zero Day MonitorZDM

← Back to list

5.0

CVE-2026-39881

vim · vim

Vim Ex command injection in Vims NetBeans integration

Description

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.0316

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	vim	cert_advisory	90%

References

https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6(x_refsource_CONFIRM)
https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19(x_refsource_MISC)
https://github.com/vim/vim/releases/tag/v9.2.0316(x_refsource_MISC)

Related News (3 articles)

Tier A

Microsoft MSRC5d ago

CVE-2026-39881 Vim Ex command injection in Vims NetBeans integration

→ No new info (linked only)

Tier B

BSI Advisories6d ago

[UPDATE] [mittel] vim: Schwachstelle ermöglicht Codeausführung

→ No new info (linked only)

Tier C

VulDB7d ago

CVE-2026-39881 | vim up to 9.2.315 defineAnnoType/specialKeys code injection (GHSA-mr87-rhgv-7pw6)

→ No new info (linked only)

CVSS 3.15.0 MEDIUM

VectorCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-94

PublishedApr 8, 2026

Last enriched7d agov2

Trending Score19

Source articles3

Independent3

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Command injection via backtick expansion in tag filenames in Vim

HIGHCVE-2026-34982

Vim modeline bypass via various options affects Vim < 9.2.0276

MEDIUMCVE-2026-32249

Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a charac

CRITICALCVE-2026-35177EXP

Path traversal issue with zip.vim in Vim

MEDIUMCVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Updated: affectedVersions, severity

Apr 9, 2026

Version History

v2

Last enriched 7d ago

v2Tier C7d ago

Updated affected versions to include 9.2.315, changed severity to CRITICAL, and noted that there is no exploit available.

affectedVersionsseverity

via VulDB

v17d ago

Initial creation