Command Injection Vulnerability in Vim's netrw Plugin
CVE-2026-42307

4.4MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42307?

An OS command injection vulnerability exists in the netrw standard plugin of Vim, allowing an attacker to execute arbitrary shell commands. This can occur when a user is tricked into opening a specially crafted URL using the sftp:// or file:// protocol handlers. The attack exploits insufficient input validation, leading to elevated privileges for the executed commands, which are run in the context of the Vim process. The issue has been patched in version 9.2.0383, so users are encouraged to update promptly to mitigate this risk.

Affected Version(s)

vim < 9.2.0383

References

https://github.com/vim/vim/security/advisories/GHSA-85ch-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/405e2fb6d54d5653523809e...
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0383
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.