CVE Catalog

CVE-2026-34714

CriticalCVSS 9.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.59%

44th percentile — higher than 44% of all known CVEs

Summary

A vulnerability in Vim before version 9.2.0272 allows immediate code execution upon opening a crafted file in the default configuration. The issue is due to %{expr} injection in tabpanel lacking the P_MLE flag.

Risk Assessment

An attacker can remotely execute arbitrary code on the administrator's or user's workstation by opening a malicious file, leading to full system compromise.

Recommendation

Update Vim to version 9.2.0272 or later immediately. If an update is not possible, avoid opening files from untrusted sources.

Original NVD description (English source)

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS