CVE Catalog

CVE-2026-47162

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile - higher than 12% of all known CVEs

Summary

In Vim prior to version 9.2.0495, a Vimscript code injection vulnerability exists in the s:NetrwBookHistSave() function of the netrw plugin. A directory name from the filesystem is interpolated into a single-quoted Vimscript string without escaping embedded single quotes, allowing arbitrary Vimscript execution, including shell commands, when the history file is sourced.

Risk Assessment

An attacker can place a crafted directory name on the filesystem that, when browsed by a user in Vim, triggers arbitrary Vimscript execution, leading to potential compromise of the editor session and the entire system.

Recommendation

Upgrade Vim to version 9.2.0495 or later immediately. If an upgrade is not possible, consider temporarily disabling the netrw plugin.

Original NVD description (English source)

Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS