CVE-2026-41411 — MEDIUM (6.6)

Q: How severe is CVE-2026-41411?

CVE-2026-41411 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-41411?

Check the references section above for vendor advisories and patch information. Affected products include: Vim Vim.

Vulnerability Description

Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.

CVSS Score

6.6

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Vim	Vim	< 9.2.0357

Related Weaknesses (CWE)

CWE-78

References

https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fbPatch
https://github.com/vim/vim/releases/tag/v9.2.0357Product
https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8PatchVendor Advisory

FAQ

What is CVE-2026-41411?

CVE-2026-41411 is a vulnerability with a CVSS score of 6.6 (MEDIUM). Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file i...

How severe is CVE-2026-41411?

CVE-2026-41411 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-41411?

Check the references section above for vendor advisories and patch information. Affected products include: Vim Vim.