Zero Day MonitorZDM

← Back to list

—

CVE-2026-52858EXPLOITEDPATCHED

vim · vim

Vim: Arbitrary Code Execution via Python Omni-Completion

Description

Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.0561

References

https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c(x_refsource_CONFIRM)
https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d(x_refsource_MISC)
https://github.com/vim/vim/releases/tag/v9.2.0561(x_refsource_MISC)

Related News (2 articles)

Tier A

Microsoft MSRC5d ago

CVE-2026-52858 Vim: Arbitrary Code Execution via Python Omni-Completion

→ No new info (linked only)

Tier C

VulDB6d ago

CVE-2026-52858 | vim up to 9.2.0560 Working Directory code injection (GHSA-52mc-rq6p-rc7c)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

9.2.0561

CWECWE-94, CWE-95, CWE-829

PublishedJun 11, 2026

Last enriched6d agov2

Trending Score25

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-52859EXP

Vim: Out-of-bounds Read in Terminal Screen Snapshot

MEDIUMCVE-2026-52860EXP

Vim: Arbitrary Code Execution via Python Omni-Completion

NONECVE-2026-47162EXP

Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name

NONECVE-2026-47167

Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex

Out-of-bounds Read in Text Property Count in Vim < 9.2.0670

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 11, 2026

Discovered by ZDM

Jun 11, 2026

Updated: severity, affectedVersions, activelyExploited, patchAvailable

Jun 11, 2026

Actively Exploited

Jun 12, 2026

Patch Available

Jun 12, 2026

Version History

v2

Last enriched 6d ago

v2Tier C6d ago

Updated severity to CRITICAL, affected versions to < 9.2.0560, and noted that the vulnerability is actively exploited.

severityaffectedVersionsactivelyExploitedpatchAvailable

via VulDB

v17d ago

Initial creation