Vim Command Line Text Editor Vulnerability in Python Omni-Completion
CVE-2026-57456

8.4HIGH

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
25 June 2026

What is CVE-2026-57456?

A significant security vulnerability exists in Vim, an open-source command line text editor, prior to version 9.2.0699. This flaw arises from the Python omni-completion feature, where unescaped docstrings are executed during the completion process. When reconstructing function and class definitions, user-controlled input from the active buffer is directly processed, allowing an attacker to craft a malicious buffer that can execute arbitrary Python code. This issue highlights the need for vigilant development practices and the importance of keeping software up to date to mitigate such risks.

Affected Version(s)

vim < 9.2.0699

References

https://github.com/vim/vim/security/advisories/GHSA-ppj8-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/cce141c42740f122dd8486a...
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0699
x_refsource_MISC

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.