Zero Day MonitorZDM

← Back to list

4.1

CVE-2026-35177EXPLOITEDPATCHED

vim · vim

Path traversal issue with zip.vim in Vim

Description

Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.0280

References

https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB1d ago

CVE-2026-35177 | vim up to 9.2.0279 zip.vim Plugin path traversal (GHSA-jc86-w7vm-8p24)

→ No new info (linked only)

CVSS 3.14.1 CRITICAL

VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

9.2.0280

CWECWE-22

PublishedApr 6, 2026

Last enriched1d agov2

Tags

CVE-2026-35177

Trending Score43

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34982

Vim modeline bypass via various options affects Vim < 9.2.0276

CRITICALCVE-2026-34714EXP

CVE-2026-34714: Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configurat

MEDIUMCVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

Netbeans Command Injection in Vim

MEDIUMCVE-2026-26269

Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim bu

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 6, 2026

Discovered by ZDM

Apr 6, 2026

Actively Exploited

Apr 6, 2026

Patch Available

Apr 6, 2026

Updated: severity, activelyExploited, patchAvailable, tags

Apr 6, 2026

Version History

v2

Last enriched 1d ago

v2Tier C1d ago

Updated severity to CRITICAL, marked as actively exploited, and noted that patch is available in version 9.2.0280.

severityactivelyExploitedpatchAvailabletags

via VulDB

v11d ago

Initial creation