Command Injection Vulnerability in Vim Text Editor
CVE-2026-59858

8.4HIGH

Key Information:

Vendor

Vim

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59858?

The Vim text editor, an open-source tool, has a vulnerability in its C omni-completion script prior to version 9.2.0735. This issue involves the interpolation of tag entry fields that are not properly escaped when forming a vimgrep pattern. Due to how the vimgrep command handles the bar ('|') as a command separator, a maliciously crafted tags file can allow an attacker to manipulate the execution of arbitrary Ex commands within Vim. Specifically, when users open a .c file containing this tainted tag entry and invoke C omni-completion, the vulnerability can be exploited, leading to potential code execution under the user’s privileges. Users are recommended to update to version 9.2.0735 to mitigate this risk.

Affected Version(s)

vim < 9.2.0735

References

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.