CVE-2026-55895

HIGH

Vim: Vimscript Code Injection in netrw NetrwLocalRmFile() via crafted filename

Title source: cna
STIX 2.1

Description

Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.0015
EPSS Percentile 5.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-78 CWE-94
Status published
Products (1)
vim/vim < 9.2.0663 (2 CPE variants)
Published Jun 25, 2026
Tracked Since Jun 25, 2026