CVE-2026-39881

MEDIUM

Vim Ex command injection in Vims NetBeans integration

Title source: cna

Description

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

References (3)

Scores

CVSS v3 5.0
EPSS 0.0003
EPSS Percentile 7.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N

Details

CWE
CWE-94
Status published
Products (1)
vim/vim < 9.2.0316 (2 CPE variants)
Published Apr 08, 2026
Tracked Since Apr 09, 2026