Vulnerability Description
Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vim | Vim | < 9.2.0202 |
Related Weaknesses (CWE)
References
- https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9aPatch
- https://github.com/vim/vim/releases/tag/v9.2.0202Product
- https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46cPatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/03/19/10Mailing ListPatchThird Party Advisory
FAQ
What is CVE-2026-33412?
CVE-2026-33412 is a vulnerability with a CVSS score of 5.6 (MEDIUM). Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n...
How severe is CVE-2026-33412?
CVE-2026-33412 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33412?
Check the references section above for vendor advisories and patch information. Affected products include: Vim Vim.