Zero Day MonitorZDM

← Back to list

—

CVE-2026-44656EXPLOITEDPATCHED

vim · vim

Vim: OS Command Injection via 'path' completion

Description

Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.0435

References

https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg(x_refsource_CONFIRM)
https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0(x_refsource_MISC)
https://github.com/vim/vim/releases/tag/v9.2.0435(x_refsource_MISC)

Related News (3 articles)

Tier B

CERT-FR17d ago

Multiples vulnérabilités dans les produits Microsoft (13 mai 2026)

→ No new info (linked only)

Tier A

Microsoft MSRC20d ago

CVE-2026-44656 Vim: OS Command Injection via 'path' completion

→ No new info (linked only)

Tier C

VulDB21d ago

CVE-2026-44656 | vim up to 9.2.0434 Command Line os command injection (GHSA-hwg5-3cxw-wvvg)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

9.2.0435

CWECWE-78

PublishedMay 8, 2026

Last enriched21d agov2

Trending Score5

Source articles3

Independent3

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMPRE-CVEEXP

Arbitrary Code Execution via Python Omni-Completion in Vim < 9.2.561

HIGHCVE-2026-34982

Vim modeline bypass via various options affects Vim < 9.2.0276

MEDIUMCVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

LOWCVE-2026-46483EXP

Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag

MEDIUMCVE-2026-45130EXP

Vim: Heap Buffer Overflow in spell file loading

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 8, 2026

Actively Exploited

May 8, 2026

Patch Available

May 8, 2026

Discovered by ZDM

May 8, 2026

Updated: severity, patchAvailable, activelyExploited

May 9, 2026

Version History

v2

Last enriched 21d ago

v2Tier C21d ago

Updated severity to CRITICAL, marked as actively exploited, and specified patch available in version 9.2.0435.

severitypatchAvailableactivelyExploited

via VulDB

v121d ago

Initial creation