CVE-2026-34714
CriticalCVSS 9.2Exploitation Probability (EPSS)
Low risk44th percentile — higher than 44% of all known CVEs
Summary
A vulnerability in Vim before version 9.2.0272 allows immediate code execution upon opening a crafted file in the default configuration. The issue is due to %{expr} injection in tabpanel lacking the P_MLE flag.
Risk Assessment
An attacker can remotely execute arbitrary code on the administrator's or user's workstation by opening a malicious file, leading to full system compromise.
Recommendation
Update Vim to version 9.2.0272 or later immediately. If an update is not possible, avoid opening files from untrusted sources.
Original NVD description (English source)
Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

