anonhaven
Ad

CVE-2026-34714

CRITICAL CVSS 3.1: 8.6 EPSS 0.03%
Updated Apr 03, 2026
Vim
Parameter Value
CVSS 8.6 (CRITICAL)
Affected Versions before 9.2.0272
Fixed In 9.2.0272
Type CWE-78 (OS Command Injection)
Vendor Vim
Public PoC No

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-78 OS Command Injection

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Vim Vim
cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
 9.2.0272

References 7

https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459
cve@mitre.org
https://github.com/vim/vim/releases/tag/v9.2.0272
cve@mitre.org
https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
cve@mitre.org
https://www.openwall.com/lists/oss-security/2026/03/30/3
cve@mitre.org
http://www.openwall.com/lists/oss-security/2026/04/02/4
af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/04/02/5
af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/04/03/6
af854a3a-2127-422b-91ae-364da2661108
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35177

Vim

4.1

CVE-2026-34982

Vim

8.2

CVE-2026-33412

Vim

7.3

CVE-2026-28422

Vim

2.2

CVE-2026-28421

Vim

5.3