Command Injection Vulnerability in Vim Text Editor by Vim Project
CVE-2026-57453

6.5MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
25 June 2026

What is CVE-2026-57453?

A command injection vulnerability exists in the Vim text editor that affects versions 9.1.1784 to 9.2.0678. The issue arises when the bundled zip plugin autoload/zip.vim falls back to using PowerShell for operations on zip archives. When a crafted archive entry name is utilized, it can break out of the expected string context and lead to the execution of arbitrary commands within PowerShell, leveraging the privileges of the user running Vim. This vulnerability is particularly concerning when users open, view, or extract zip archives containing malicious entry names. The vulnerability has been addressed in version 9.2.0678.

Affected Version(s)

vim >= 9.1.1784, < 9.2.0678

References

https://github.com/vim/vim/security/advisories/GHSA-x5fg-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/b2cc9be119d51212bf0d3f2a99
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0678
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.