Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Vim Update Fixes Security Flaws Allowing Hacker Access
SUSE-SU-2026:1387-1
Summary
A security update for the Vim text editor fixes three security flaws that could allow an attacker to execute malicious system commands on your computer. This could lead to unauthorized changes or data theft. To stay secure, update your Vim installation to the latest version.
What to do
- Update vim to version 9.2.0280-150000.5.89.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| SUSE:Linux Enterprise Micro 5.3 | – | vim |
< 9.2.0280-150000.5.89.1 Fix: upgrade to 9.2.0280-150000.5.89.1
|
| SUSE:Linux Enterprise Micro 5.4 | – | vim |
< 9.2.0280-150000.5.89.1 Fix: upgrade to 9.2.0280-150000.5.89.1
|
| SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS | – | vim |
< 9.2.0280-150000.5.89.1 Fix: upgrade to 9.2.0280-150000.5.89.1
|
| SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS | – | vim |
< 9.2.0280-150000.5.89.1 Fix: upgrade to 9.2.0280-150000.5.89.1
|
| SUSE:Linux Enterprise Server 15 SP4-LTSS | – | vim |
< 9.2.0280-150000.5.89.1 Fix: upgrade to 9.2.0280-150000.5.89.1
|
| SUSE:Linux Enterprise Server for SAP Applications 15 SP4 | – | vim |
< 9.2.0280-150000.5.89.1 Fix: upgrade to 9.2.0280-150000.5.89.1
|
| SUSE:Linux Enterprise Micro 5.2 | – | vim |
< 9.2.0280-150000.5.89.1 Fix: upgrade to 9.2.0280-150000.5.89.1
|
Original title
Security update for vim
Original description
This update for vim fixes the following issues:
Update to version 9.2.0280.
- CVE-2026-34982: missing input validation allows for a modeline sandbox bypass and can lead to arbitrary OS command
execution (bsc#1261271).
- CVE-2026-34714: missing checks allow for a `tabpanel` modeline escape and can lead to arbitrary OS command execution
(bsc#1261191).
- CVE-2026-33412: improper escaping of newline characters allows for command injection in `glob` and can lead to
arbitrary code execution (bsc#1259985).
Update to version 9.2.0280.
- CVE-2026-34982: missing input validation allows for a modeline sandbox bypass and can lead to arbitrary OS command
execution (bsc#1261271).
- CVE-2026-34714: missing checks allow for a `tabpanel` modeline escape and can lead to arbitrary OS command execution
(bsc#1261191).
- CVE-2026-33412: improper escaping of newline characters allows for command injection in `glob` and can lead to
arbitrary code execution (bsc#1259985).
- https://www.suse.com/support/update/announcement/2026/suse-su-20261387-1/ Vendor Advisory
- https://bugzilla.suse.com/1259985 Third Party Advisory
- https://bugzilla.suse.com/1261191 Third Party Advisory
- https://bugzilla.suse.com/1261271 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2026-33412 URL
- https://www.suse.com/security/cve/CVE-2026-34714 URL
- https://www.suse.com/security/cve/CVE-2026-34982 URL
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026