Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
Vim: Malicious URLs Can Execute Commands with Elevated Privileges
CVE-2026-28417
Summary
Vim's built-in plugin for exploring network files contains a security flaw that can allow an attacker to run malicious commands with the same level of access as the user running Vim. This is a concern because it can allow unauthorized access to the system. To fix this issue, update Vim to version 9.2.0073 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| vim | vim | <= 9.2.0073 | – |
Original title
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open ...
Original description
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
nvd CVSS3.1
7.8
Vulnerability type
CWE-86
CWE-78
OS Command Injection
- https://github.com/vim/vim/commit/79348dbbc09332130f4c860 Patch
- https://github.com/vim/vim/releases/tag/v9.2.0073 Release Notes
- https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336 Patch Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/02/27/6 Mailing List Patch Third Party Advisory
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026