Code Injection Flaw in Vim Text Editor's Cucumber Plugin by Vim
CVE-2026-47167
5.1MEDIUM
What is CVE-2026-47167?
A code injection vulnerability exists in the cucumber filetype plugin of Vim, specifically affecting versions prior to 9.2.0496. This flaw allows an attacker to execute arbitrary Ruby code by embedding malicious patterns into step-definition patterns retrieved from .rb files. When the user invokes specific step-jump mappings, the crafted patterns are processed without adequate escaping through the Ruby Kernel.eval, enabling potential execution of arbitrary shell commands. This issue has been addressed in the latest release version.
Affected Version(s)
vim < 9.2.0496
