Command Injection Vulnerability in Vim Text Editor
CVE-2026-59856
8.4HIGH
What is CVE-2026-59856?
A vulnerability exists in the Vim text editor, where the PHP omni-completion script does not properly escape class or trait names sourced from the edited buffer. This oversight can lead to the execution of arbitrary operating system commands when a crafted PHP file is opened and the omni-completion feature is invoked. The flaw allows an attacker to manipulate the search pattern to terminate strings prematurely, allowing the execution of unintended Ex commands. This issue has been addressed in Vim version 9.2.0736.
Affected Version(s)
vim < 9.2.0736
