anonhaven
Ad

CVE-2026-33412

HIGH CVSS 3.1: 7.3 EPSS 0.01%
Updated Mar 25, 2026
Vim
Parameter Value
CVSS 7.3 (HIGH)
Affected Versions before 9.2.0202
Fixed In 9.2.0202
Type CWE-78 (OS Command Injection)
Vendor Vim
Public PoC No

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands.

This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-78 OS Command Injection

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Vim Vim
cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
 9.2.0202

References 4

https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
security-advisories@github.com
https://github.com/vim/vim/releases/tag/v9.2.0202
security-advisories@github.com
https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
security-advisories@github.com
http://www.openwall.com/lists/oss-security/2026/03/19/10
af854a3a-2127-422b-91ae-364da2661108
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-28422

Vim

2.2

CVE-2026-28421

Vim

5.3

CVE-2026-28420

Vim

4.4

CVE-2026-28419

Vim

5.3

CVE-2026-28418

Vim

4.4