Christian Brabandt

54 exploits Active since Sep 2023
CVE-2026-41411 WRITEUP MEDIUM WRITEUP
Vim <9.2.0357 - Command Injection
Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.
CVSS 6.6
CVE-2026-39881 WRITEUP MEDIUM WRITEUP
Vim Ex command injection in Vims NetBeans integration
Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
CVSS 5.0
CVE-2026-34982 WRITEUP HIGH WRITEUP
Vim modeline bypass via various options affects Vim < 9.2.0276
Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
CVSS 8.2
CVE-2026-34714 WRITEUP CRITICAL WRITEUP
Vim <9.2.0272 - Code Injection
Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.
CVSS 9.2
CVE-2026-33412 WRITEUP MEDIUM WRITEUP
Vim affected by Command injection via newline in glob()
Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
CVSS 5.6
CVE-2026-32249 WRITEUP MEDIUM WRITEUP
Vim 9.1.0011-9.2.0137 - Memory Corruption
Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.
CVSS 5.3
CVE-2026-28417 WRITEUP MEDIUM WRITEUP
Vim <9.2.0073 - Command Injection
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
CVSS 4.4
CVE-2026-28418 WRITEUP MEDIUM WRITEUP
Vim <9.2.0074 - Buffer Overflow
Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
CVSS 4.4
CVE-2026-28419 WRITEUP MEDIUM WRITEUP
Vim <9.2.0075 - Memory Corruption
Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.
CVSS 5.3
CVE-2026-28420 WRITEUP MEDIUM WRITEUP
Vim <9.2.0076 - Buffer Overflow
Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
CVSS 4.4
CVE-2026-28421 WRITEUP MEDIUM WRITEUP
Vim <9.2.0077 - Memory Corruption
Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
CVSS 5.3
CVE-2026-28422 WRITEUP LOW WRITEUP
Vim <9.2.0078 - Buffer Overflow
Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.
CVSS 2.2
CVE-2023-46246 WRITEUP MEDIUM WRITEUP
Vim - Use After Free
Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.
CVSS 4.0
CVE-2023-4733 WRITEUP HIGH WRITEUP
Vim < 9.0.1840 - Use After Free
Use After Free in GitHub repository vim/vim prior to 9.0.1840.
CVSS 7.8
CVE-2023-4734 WRITEUP HIGH WRITEUP
Vim < 9.0.1846 - Integer Overflow
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.
CVSS 7.8
CVE-2023-4735 WRITEUP HIGH WRITEUP
Vim < 9.0.1847 - Out-of-Bounds Write
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.
CVSS 7.8
CVE-2023-4736 WRITEUP HIGH WRITEUP
Vim < 9.0.1833 - Untrusted Search Path
Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.
CVSS 7.8
CVE-2023-4738 WRITEUP HIGH WRITEUP
Vim < 9.0.1848 - Out-of-Bounds Write
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.
CVSS 7.8
CVE-2023-4750 WRITEUP HIGH WRITEUP
Vim < 9.0.1857 - Use After Free
Use After Free in GitHub repository vim/vim prior to 9.0.1857.
CVSS 7.8
CVE-2023-4752 WRITEUP HIGH WRITEUP
Vim < 9.0.1858 - Use After Free
Use After Free in GitHub repository vim/vim prior to 9.0.1858.
CVSS 7.8
CVE-2023-4781 WRITEUP HIGH WRITEUP
Vim < 9.0.1873 - Heap Buffer Overflow
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.
CVSS 7.8
CVE-2023-48231 WRITEUP LOW WRITEUP
Vim < 9.0.2106 - Use After Free
Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 3.9
CVE-2023-48232 WRITEUP LOW WRITEUP
Vim < 9.0.2107 - Improper Exception Handling
Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit `cb0b99f0` which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 3.9
CVE-2023-48233 WRITEUP LOW WRITEUP
Vim < 9.0.2108 - Integer Overflow
Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 2.8
CVE-2023-48234 WRITEUP LOW WRITEUP
Vim < 9.0.2109 - Integer Overflow
Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 2.8