CVE-2019-12735

HIGH

Vim < 8.1.1365 and Neovim < 0.3.6 - OS Command Injection via Modeline :source! Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2019-12735. PoCs published by Arminius, pcy190, oldthree3.

AI-analyzed exploit summary This exploit demonstrates arbitrary code execution in Vim and Neovim via maliciously crafted modelines. It bypasses the sandbox using `:source!` to execute shell commands, including a reverse shell payload.

Description

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.

Exploits (6)

exploitdb WORKING POC
by Arminius · locallinux
https://www.exploit-db.com/exploits/46973

This exploit demonstrates arbitrary code execution in Vim and Neovim via maliciously crafted modelines. It bypasses the sandbox using `:source!` to execute shell commands, including a reverse shell payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Vim < 8.1.1365, Neovim < 0.3.6
No auth needed
Prerequisites: Modelines must be enabled in the target's Vim/Neovim configuration · Victim must open the crafted file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 9 stars
by pcy190 · poc
https://github.com/pcy190/ace-vim-neovim

This repository contains a functional exploit for CVE-2019-12735, which leverages modelines in Vim/Neovim to achieve arbitrary code execution. The PoC involves a crafted text file that, when opened in Vim/Neovim, triggers a reverse shell to a listener.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Vim/Neovim (versions affected by CVE-2019-12735)
No auth needed
Prerequisites: Network connectivity to the attacker's listener · Victim must open the crafted file in Vim/Neovim
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by oldthree3 · poc
https://github.com/oldthree3/CVE-2019-12735-VIM-NEOVIM

This repository provides a functional proof-of-concept for CVE-2019-12735, a vulnerability in Vim and Neovim that allows arbitrary command execution via modeline functionality. The exploit requires the modeline feature to be enabled and involves crafting a malicious file that executes commands when opened in Vim or Neovim.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Vim < 8.1.1365, Neovim <= v0.3.6
No auth needed
Prerequisites: Modeline feature enabled in Vim/Neovim · Victim opens a malicious file in Vim/Neovim
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by nickylimjj · poc
https://github.com/nickylimjj/cve-2019-12735

This repository provides a Dockerized environment to exploit CVE-2019-12735, a Vim modeline vulnerability that allows arbitrary command execution when opening a specially crafted file. The PoC demonstrates command injection via a maliciously crafted modeline in a text file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Vim 8.1.1365 (and prior), NeoVim 0.3.6 (and prior)
No auth needed
Prerequisites: Docker installed on the host system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by st9007a · poc
https://github.com/st9007a/CVE-2019-12735

This repository contains a functional exploit for CVE-2019-12735, a vulnerability in Vim and Neovim that allows remote code execution via crafted modeline expressions. The PoC includes a Dockerfile to set up a vulnerable environment and a C program to generate a malicious text file that triggers the exploit.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Vim (versions before 8.1.1365) and Neovim (versions before 0.3.6)
No auth needed
Prerequisites: Vulnerable version of Vim or Neovim · Ability to open a malicious text file in the vulnerable editor
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by datntsec · poc
https://github.com/datntsec/CVE-2019-12735

This repository provides a detailed technical analysis of CVE-2019-12735, explaining how arbitrary code execution can be achieved in Vim and Neovim through modeline exploitation. It includes a breakdown of the vulnerability mechanics, sandbox bypass techniques, and a reverse shell PoC.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Vim < 8.1.1365, Neovim < 0.3.6
No auth needed
Prerequisites: Victim opens a malicious file in Vim/Neovim with modeline enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (32)

Core 32
Core References
Vendor Advisory vendor-advisory
https://usn.ubuntu.com/4016-1/
Vendor Advisory vendor-advisory
https://usn.ubuntu.com/4016-2/
Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/108724
Third Party Advisory vendor-advisory
https://www.debian.org/security/2019/dsa-4467
Mailing List mailing-list
https://seclists.org/bugtraq/2019/Jun/33
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:1619
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:1774
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:1793
Third Party Advisory vendor-advisory
https://www.debian.org/security/2019/dsa-4487
Mailing List mailing-list
https://seclists.org/bugtraq/2019/Jul/39
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:1947
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202003-04
Mailing List, Third Party Advisory
https://bugs.debian.org/930020
Mailing List, Third Party Advisory
https://bugs.debian.org/930024
Patch, Third Party Advisory
https://github.com/neovim/neovim/pull/10082
Exploit, Third Party Advisory
https://www.exploit-db.com/exploits/46973

Scores

CVSS v3 8.6
EPSS 0.1911
EPSS Percentile 97.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
neovim/neovim < 0.3.6
vim/vim < 8.1.1365
Published Jun 05, 2019
Tracked Since Feb 18, 2026