Zero Day MonitorZDM

← Back to list

—

CVE-2026-47167PATCHED

vim · vim

Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex

Description

Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.0496

References

https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9(x_refsource_CONFIRM)
https://github.com/vim/vim/commit/a65a52d684bc58535ad28a4ae824d22e76399934(x_refsource_MISC)
https://github.com/vim/vim/releases/tag/v9.2.0496(x_refsource_MISC)

Related News (3 articles)

Tier A

Microsoft MSRC5d ago

CVE-2026-47167 Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex

→ No new info (linked only)

Tier C

VulDB6d ago

CVE-2026-47167 | Vim up to 9.2.495 Pattern cucumber.vim stepmatch code injection (GHSA-4473-94jm-w5x9)

→ No new info (linked only)

Tier C

oss-security31d ago

[vim-security] Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex affects Vim < 9.2.0496

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

9.2.0496

CWECWE-94, CWE-95

PublishedJun 11, 2026

Last enriched6d agov2

Tags

code injectionrubyvim plugincritical

Trending Score21

Source articles3

Independent3

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-52859EXP

Vim: Out-of-bounds Read in Terminal Screen Snapshot

MEDIUMCVE-2026-52860EXP

Vim: Arbitrary Code Execution via Python Omni-Completion

NONECVE-2026-47162EXP

Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name

NONECVE-2026-52858EXP

Vim: Arbitrary Code Execution via Python Omni-Completion

Out-of-bounds Read in Text Property Count in Vim < 9.2.0670

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 11, 2026

Discovered by ZDM

Jun 11, 2026

Updated: description, severity, tags

Jun 11, 2026

Exploit Available

Jun 12, 2026

Patch Available

Jun 12, 2026

Version History

v2

Last enriched 6d ago

v2Tier C6d ago

Updated severity to CRITICAL, added new description details, and marked the vulnerability as not actively exploited.

descriptionseveritytags

via VulDB

v16d ago

Initial creation