Path Traversal Bypass in Vim's Zip Plugin Affects Open Source Text Editor
CVE-2026-35177

4.1MEDIUM

Key Information:

Vendor: Vim
Status: Vim
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35177?

The Vim text editor, an open source tool widely used for text editing, has a vulnerability in its zip.vim plugin that affects versions before 9.2.0280. A path traversal bypass flaw allows attackers to overwrite arbitrary files when opening specially crafted zip archives. This flaw effectively circumvents a previous fix for an earlier vulnerability, increasing the risk of exploitation. Users are advised to update to version 9.2.0280 or later to mitigate this security risk.

Affected Version(s)

vim < 9.2.0280

References

https://github.com/vim/vim/security/advisories/GHSA-jc86-...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35177 Data

JSON