Code Injection Flaw in Vim Text Editor's Cucumber Plugin by Vim
CVE-2026-47167

5.1MEDIUM

Key Information:

Vendor

Vim

Status
Vendor
CVE Published:
11 June 2026

What is CVE-2026-47167?

A code injection vulnerability exists in the cucumber filetype plugin of Vim, specifically affecting versions prior to 9.2.0496. This flaw allows an attacker to execute arbitrary Ruby code by embedding malicious patterns into step-definition patterns retrieved from .rb files. When the user invokes specific step-jump mappings, the crafted patterns are processed without adequate escaping through the Ruby Kernel.eval, enabling potential execution of arbitrary shell commands. This issue has been addressed in the latest release version.

Affected Version(s)

vim < 9.2.0496

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.