Command Injection in Vim's Netbeans Interface Affects Open Source Text Editor
CVE-2026-39881

5MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
8 April 2026

What is CVE-2026-39881?

A command injection vulnerability exists in Vim's netbeans interface, enabling a malicious netbeans server to execute arbitrary Ex commands when Vim connects. This issue arises from the lack of proper input sanitization in the defineAnnoType and specialKeys protocol messages. The vulnerability is addressed in version 9.2.0316, highlighting the importance of keeping your software updated to mitigate security risks.

Affected Version(s)

vim < 9.2.0316

References

https://github.com/vim/vim/security/advisories/GHSA-mr87-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0316
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.