CVE-2026-47167
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
In the Vim text editor prior to version 9.2.0496, a code injection vulnerability exists in the s:stepmatch() function of the cucumber filetype plugin. Step-definition patterns read from .rb files can be exploited to execute arbitrary Ruby commands, posing a risk of executing malicious code.
Risk Assessment
This vulnerability allows attackers to execute arbitrary commands on the system, potentially leading to severe security breaches and data loss within the organization.
Recommendation
It is recommended to update Vim to version 9.2.0496 or later to mitigate this vulnerability. Additionally, avoid using untrusted repositories containing .rb files.
Original NVD description (English source)
Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.

