Command injection vulnerability in Vim's glob function on Unix-like systems
CVE-2026-33412

5.6MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33412?

Vim, a widely used open-source command line text editor, contains a command injection flaw within the glob() functionality for Unix-like systems. This vulnerability allows an attacker to potentially execute arbitrary shell commands by injecting a newline character into a pattern that is processed by the glob() function, contingent upon the user's shell settings. The issue has been resolved in version 9.2.0202, and it is imperative for users to upgrade to this version to secure their systems against potential exploits.

Affected Version(s)

vim < 9.2.0202

References

https://github.com/vim/vim/security/advisories/GHSA-w5jw-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7...
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0202
x_refsource_MISC

CVSS V3.1

Score:
5.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.