Vim Open Source Text Editor Vulnerability in Python Omni-Completion
CVE-2026-52860

7.5HIGH

Key Information:

Vendor

Vim

Status
Vendor
CVE Published:
11 June 2026

What is CVE-2026-52860?

Vim, a widely-used open source command line text editor, has a vulnerability in its Python omni-completion feature that allows for code execution. Specifically, prior to version 9.2.0597, Vim executed reconstructed function and class definitions using Python's exec() function while populating the completion dictionary. This poses a risk as an attacker could craft a malicious buffer that executes arbitrary Python code during omni-completion, bypassing existing mitigation measures. A security patch has been released in version 9.2.0597 to address this vulnerability.

Affected Version(s)

vim < 9.2.0597

References

CVSS V4

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.