OS Command Injection in netrw affects Vim < 9.2.0383

56% confidence

Description

An OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL, an attacker can execute arbitrary shell commands with the privileges of the Vim process.

Affected Products

Vendor	Product	Versions
vim	—	< 9.2.0383

Related News (1 articles)

Tier C

oss-security4h ago

[vim-security] OS Command Injection in netrw affects Vim < 9.2.0383

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

9.2.0383

CWECWE-78

PublishedApr 22, 2026

Last enriched3h ago

Trending Score23

Source articles1

Independent1

Info Completeness6/14

Missing: cve_id, product, cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34982

Vim modeline bypass via various options affects Vim < 9.2.0276

Trending: 10

MEDIUMCVE-2026-39881

Vim Ex command injection in Vims NetBeans integration

Trending: 9

CRITICALCVE-2026-35177EXP

Path traversal issue with zip.vim in Vim

Trending: 7

MEDIUMCVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

Trending: 7

MEDIUMCVE-2026-32249

Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a charac

Trending: 7

Pin to Dashboard

Verification

State: reported

Confidence: 56%

Vulnerability Timeline

CVE Published

Apr 22, 2026

Patch Available

Apr 22, 2026

Discovered by ZDM

Apr 22, 2026