CVE-2026-59856

HIGH

Vim: Arbitrary Code Execution via PHP Omni-Completion

Title source: cna
STIX 2.1

Description

Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.

References (2)

Core 2

Scores

CVSS v3 7.8
EPSS 0.0017
EPSS Percentile 6.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
vim/vim < 9.2.0736 (2 CPE variants)
Published Jul 09, 2026
Tracked Since Jul 10, 2026