Donate Telegram

CVE-2026-28417

MEDIUM CVSS 3.1: 4.4 EPSS 0.01%

Feb 27, 2026

Updated Feb 28, 2026

Vim

Parameter	Value
CVSS	4.4 (MEDIUM)
Type	CWE-86
Vendor	Vim
Public PoC	No

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process.

Version 9.2.0073 fixes the issue.

Attack Parameters

Attack Vector

Local

Requires local access

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

Required

User action required

Impact Assessment

Confidentiality

Low

Partial data leak

Integrity

Low

Partial data modification

Availability

None

No disruption

CVSS Vector v3.1

Weakness Type (CWE)

References 4

https://github.com/vim/vim/commit/79348dbbc09332130f4c860

security-advisories@github.com

https://github.com/vim/vim/releases/tag/v9.2.0073

security-advisories@github.com

https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336

security-advisories@github.com

http://www.openwall.com/lists/oss-security/2026/02/27/6

af854a3a-2127-422b-91ae-364da2661108

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35177

Vim

CVE-2026-34982

Vim

CVE-2026-34714

Vim

CVE-2026-33412

Vim

CVE-2026-28422

Vim

CVE Details

CVE ID

CVE-2026-28417

Published Date

Feb 27, 2026

Vendor

Vim

Severity

MEDIUM

CVSS v3.1 Score

4.4

Medium severity. Plan remediation.

Attack Analysis

Exploitability 1.8/10

How easy to exploit

Impact 2.5/10

Severity of consequences

Exploit Prediction (EPSS)

Probability of Exploit 0.01%

Likelihood of exploitation in next 30 days

Percentile: 1.9th percentile (higher than 1.9% of all CVEs)

Standard patching cycle

Impact

Partial data disclosure

Partial data modification

Source

Editor's Choice