Zero Day MonitorZDM

← Back to list

—

CVE-2026-47162EXPLOITEDPATCHED

vim · vim

Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name

Description

Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.0495

References

https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c(x_refsource_CONFIRM)
https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b(x_refsource_MISC)
https://github.com/vim/vim/releases/tag/v9.2.0495(x_refsource_MISC)

Related News (2 articles)

Tier A

Microsoft MSRC5d ago

CVE-2026-47162 Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name

→ No new info (linked only)

Tier C

VulDB6d ago

CVE-2026-47162 | vim up to 9.2.494 Directory netrw.vim NetrwBookHistSave injection (GHSA-crm5-rh6j-2c7c)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

9.2.495

CWECWE-74, CWE-94

PublishedJun 11, 2026

Last enriched6d agov2

Trending Score25

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-52859EXP

Vim: Out-of-bounds Read in Terminal Screen Snapshot

MEDIUMCVE-2026-52860EXP

Vim: Arbitrary Code Execution via Python Omni-Completion

NONECVE-2026-52858EXP

Vim: Arbitrary Code Execution via Python Omni-Completion

NONECVE-2026-47167

Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex

Out-of-bounds Read in Text Property Count in Vim < 9.2.0670

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 11, 2026

Discovered by ZDM

Jun 11, 2026

Updated: description, affectedVersions, severity, activelyExploited, patchAvailable

Jun 11, 2026

Actively Exploited

Jun 12, 2026

Patch Available

Jun 12, 2026

Version History

v2

Last enriched 6d ago

v2Tier C6d ago

Updated description with critical severity, affected versions, and patch available in version 9.2.495.

descriptionaffectedVersionsseverityactivelyExploitedpatchAvailable

via VulDB

v17d ago

Initial creation