CVE Catalog

CVE-2026-52860

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile - higher than 13% of all known CVEs

Summary

In Vim prior to version 9.2.0597, the Python omni-completion feature executes reconstructed function and class definitions from the current buffer using exec(). Python evaluates default argument values, parameter annotations, and class base expressions at definition time, allowing a malicious buffer to execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation does not cover this path because the attacker-controlled code is not a harvested import/from statement.

Risk Assessment

The risk is that opening a malicious file in Vim and triggering Python omni-completion can lead to arbitrary Python code execution in the editor's context, potentially resulting in system compromise or data theft.

Recommendation

Immediately update Vim to version 9.2.0597 or later. If an update is not possible, avoid opening untrusted files and disable Python omni-completion until the patch is applied.

Original NVD description (English source)

Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS