CVE-2026-33412
MediumCVSS 5.6Exploitation Probability (EPSS)
Elevated risk54th percentile - higher than 54% of all known CVEs
Summary
In Vim prior to version 9.2.0202, a command injection vulnerability exists in the glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may execute arbitrary shell commands. This depends on the user's 'shell' setting.
Risk Assessment
An attacker can remotely execute arbitrary commands on the victim's system, leading to full compromise of data confidentiality, integrity, and availability.
Recommendation
Immediately update Vim to version 9.2.0202 or later. If updating is not possible, restrict the use of glob() with untrusted patterns.
Original NVD description (English source)
Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

