OS Command Injection Vulnerability in Vim's Netrw Plugin
CVE-2026-28417

4.4MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28417?

An OS command injection vulnerability exists in the netrw plugin bundled with Vim, an open-source command line text editor. This flaw allows attackers to execute arbitrary shell commands by tricking users into opening a specially crafted URL, such as those using the scp:// protocol. This poses significant risks as the commands executed will run with the privileges of the Vim process. The issue has been addressed in Vim version 9.2.0073, and users are encouraged to update to this version or later to mitigate potential security threats.

Affected Version(s)

vim < 9.2.0073

References

https://github.com/vim/vim/security/advisories/GHSA-m3xh-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/79348dbbc09332130f4c860
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0073
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.