Command Injection Vulnerability in Vim Text Editor
CVE-2026-59858
8.4HIGH
What is CVE-2026-59858?
The Vim text editor, an open-source tool, has a vulnerability in its C omni-completion script prior to version 9.2.0735. This issue involves the interpolation of tag entry fields that are not properly escaped when forming a vimgrep pattern. Due to how the vimgrep command handles the bar ('|') as a command separator, a maliciously crafted tags file can allow an attacker to manipulate the execution of arbitrary Ex commands within Vim. Specifically, when users open a .c file containing this tainted tag entry and invoke C omni-completion, the vulnerability can be exploited, leading to potential code execution under the user’s privileges. Users are recommended to update to version 9.2.0735 to mitigate this risk.
Affected Version(s)
vim < 9.2.0735
