CVE-2026-39881
MEDIUMVim Ex command injection in Vims NetBeans integration
Title source: cnaDescription
Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6
X_Refsource_Misc x_refsource_misc
https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19
X_Refsource_Misc x_refsource_misc
https://github.com/vim/vim/releases/tag/v9.2.0316
Scores
CVSS v3
5.0
EPSS
0.0062
EPSS Percentile
44.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-94
Status
published
Products (1)
vim/vim
< 9.2.0316 (2 CPE variants)
Published
Apr 08, 2026
Tracked Since
Apr 09, 2026