Command Line Text Editor Vulnerability in Vim's Netrw Plugin
CVE-2026-55895

5.7MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
25 June 2026

What is CVE-2026-55895?

An insecure Vimscript execution flaw exists within the Netrw plugin in Vim, allowing attackers to exploit filename handling when deleting files. Specifically, a crafted filename can inject arbitrary Vimscript commands, granting unauthorized execution of shell commands via the built-in :call system() and :! functions. This vulnerability, which affects versions prior to 9.2.0663, poses significant risks if exploited, since it can compromise the integrity of the command line interface.

Affected Version(s)

vim < 9.2.0663

References

https://github.com/vim/vim/security/advisories/GHSA-vhh8-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/55bc757a5d436e59d50fe43...
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0663
x_refsource_MISC

CVSS V4

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.