Command Injection Vulnerability in Vim Text Editor
CVE-2026-46483

3.6LOW

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
15 May 2026

What is CVE-2026-46483?

Vim, an open source command line text editor, has a vulnerability in its handling of .tgz archives. Affected versions prior to 9.2.0479 allow an attacker to execute arbitrary shell commands when an archive with a crafted filename is processed. The vulnerability arises from the tar#Vimuntar() function, which builds shell commands without the necessary security flags, enabling potential command execution in the user's environment. Users are advised to upgrade to version 9.2.0479 or later to mitigate this risk.

Affected Version(s)

vim < 9.2.479

References

https://github.com/vim/vim/security/advisories/GHSA-2fpv-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a...
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0479
x_refsource_MISC

CVSS V3.1

Score:
3.6
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.