Command Injection Vulnerability in Vim's Tag File Processing
CVE-2026-41411

6.6MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
24 April 2026

What is CVE-2026-41411?

Vim, a widely used open source command line text editor, has a command injection vulnerability that affects its tag file processing. In versions prior to 9.2.0357, an attacker can exploit this security flaw by creating a specially crafted tags file that includes backtick syntax, such as command. When Vim attempts to resolve the filename field within the tags file, it inadvertently allows execution of arbitrary commands through wildcard expansion. This exploitation occurs with the full privileges of the user running Vim, posing significant security risks.

Affected Version(s)

vim < 9.2.0357

References

https://github.com/vim/vim/security/advisories/GHSA-cwgx-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf38...
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0357
x_refsource_MISC

CVSS V3.1

Score:
6.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.