Zero Day MonitorZDM

← Back to list

3.6

CVE-2026-46483EXPLOITEDPATCHED

vim · vim

Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag

Description

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.479, < 9.2.495, < 9.2.0513, < 9.2.565

References

https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w(x_refsource_CONFIRM)
https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1(x_refsource_MISC)
https://github.com/vim/vim/releases/tag/v9.2.0479(x_refsource_MISC)

Related News (5 articles)

Tier C

oss-security4h ago

[vim-security] Out-of-bounds Read in Terminal Screen Snapshot in Vim < 9.2.565

→ No new info (linked only)

Tier C

oss-security7d ago

[vim-security] Multiple Memory Safety Issues in Vim Spell File Parser affects Vim < 9.2.0513

→ No new info (linked only)

Tier C

oss-security13d ago

[vim-security] Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name affects Vim < 9.2.495

→ No new info (linked only)

Tier A

Microsoft MSRC13d ago

CVE-2026-46483 Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag

→ No new info (linked only)

Tier C

VulDB15d ago

CVE-2026-46483 | vim up to 9.2.0478 Archive File runtime/autoload/tar.vim Vimuntar os command injection (GHSA-2fpv-9ff7-xg5w)

→ No new info (linked only)

CVSS 3.13.6 LOW

VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

9.2.0479

CWECWE-78, CWE-88, CWE-94, CWE-74, CWE-125, CWE-908, CWE-674

PublishedMay 15, 2026

Last enriched15d agov2

Tags

code-injectionvimnetrwmemory-safetyspell-parserout-of-bounds-readterminal-vulnerability

Trending Score8

Source articles5

Independent3

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMPRE-CVEEXP

Arbitrary Code Execution via Python Omni-Completion in Vim < 9.2.561

HIGHCVE-2026-34982

Vim modeline bypass via various options affects Vim < 9.2.0276

MEDIUMCVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

MEDIUMCVE-2026-45130EXP

Vim: Heap Buffer Overflow in spell file loading

CRITICALCVE-2026-44656EXP

Vim: OS Command Injection via 'path' completion

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 15, 2026

Discovered by ZDM

May 15, 2026

Updated: severity, activelyExploited, patchAvailable

May 15, 2026

Actively Exploited

May 15, 2026

Exploit Available

May 15, 2026

Patch Available

May 15, 2026

Version History

v2

Last enriched 15d ago

v2Tier C15d ago

Updated severity to CRITICAL, marked as actively exploited, and provided the fixed version number 9.2.0479.

severityactivelyExploitedpatchAvailable

via VulDB

v115d ago

Initial creation