CVE Catalog

CVE-2026-52858

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile - higher than 18% of all known CVEs

Summary

Vim prior to version 9.2.0561 has a security issue related to executing code from malicious .py files when using Python's omni-completion feature. As a result, malicious code can be run in the context of the editing user.

Risk Assessment

Organizations may be exposed to the execution of malicious code, potentially leading to unauthorized access to systems or data. Users may inadvertently run dangerous code, increasing the risk of attacks.

Recommendation

It is recommended to update Vim to version 9.2.0561 or later to mitigate this vulnerability. Additionally, avoid opening unknown or suspicious .py files in the editor.

Original NVD description (English source)

Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS