Vim Command Line Text Editor Vulnerability Allows Arbitrary Command Execution
CVE-2026-34982

8.2HIGH

Key Information:

Vendor: Vim
Status: Vim
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34982?

CVE-2026-34982 refers to a vulnerability identified in Vim, a widely-used open-source command line text editor that serves programmers and system administrators for efficient text manipulation. The flaw enables arbitrary command execution on operating systems if a user opens a specially crafted file. This issue arises from inadequate security mechanisms in the interpretation of modelines, which are directives within text files that control editor behavior. Specifically, certain options, such as complete, guitabtooltip, and printheader, do not implement the necessary security flag, leaving users susceptible to executing unwanted commands. Additionally, the mapset() function lacks adequate security checks, which further exposes the application to potential exploitation. This vulnerability pertains to versions prior to 9.2.0276 of Vim, with a patch introduced to resolve the issue.

Potential impact of CVE-2026-34982

Arbitrary Command Execution: The primary impact of this vulnerability is the potential for an attacker to execute arbitrary commands on the operating system. When a user inadvertently opens a maliciously crafted file, the exploit can lead to the execution of harmful commands, which could compromise system integrity.
Risk of Complete System Compromise: The ability to execute arbitrary commands can allow threat actors to gain full control over a system. This access can lead to unauthorized data access, manipulation, or deletion, significantly impacting organizational operations and security.
Increased Attack Surface for Malware: Given that Vim is frequently used for editing configuration files and scripts, the existence of this vulnerability may be leveraged by attackers to deploy additional malware or ransomware on a compromised system, broadening the potential impact across interconnected network resources.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

This is an advertDeploy the Patch

Affected Version(s)

vim < 9.2.0276

References

https://github.com/vim/vim/security/advisories/GHSA-8h6p-...

x_refsource_CONFIRM

https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615

x_refsource_MISC

https://github.com/vim/vim/releases/tag/v9.2.0276

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34982 Data

JSON

Vim

What is CVE-2026-34982?

Potential impact of CVE-2026-34982

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.