Command Injection Vulnerability in Vim Text Editor
CVE-2026-59856

8.4HIGH

Key Information:

Vendor

Vim

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59856?

A vulnerability exists in the Vim text editor, where the PHP omni-completion script does not properly escape class or trait names sourced from the edited buffer. This oversight can lead to the execution of arbitrary operating system commands when a crafted PHP file is opened and the omni-completion feature is invoked. The flaw allows an attacker to manipulate the search pattern to terminate strings prematurely, allowing the execution of unintended Ex commands. This issue has been addressed in Vim version 9.2.0736.

Affected Version(s)

vim < 9.2.0736

References

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.