CVE-2026-57456
HIGHVim: Arbitrary Code Execution via Python Omni-Completion Docstrings
Title source: cnaDescription
Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/vim/vim/security/advisories/GHSA-ppj8-wqjf-6fp3
X_Refsource_Misc x_refsource_misc
https://github.com/vim/vim/commit/cce141c42740f122dd8486ae04e21c2a81016ba8
X_Refsource_Misc x_refsource_misc
https://github.com/vim/vim/releases/tag/v9.2.0699
Scores
CVSS v3
7.8
EPSS
0.0014
EPSS Percentile
4.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
vim/vim
< 9.2.0699 (2 CPE variants)
Published
Jun 25, 2026
Tracked Since
Jun 25, 2026