CVE-2026-28417

Summary

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the scp:// protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
vimvim< 9.2.0073affected

Weaknesses

  • CWE-86: CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References