CVE-2026-57456

Vim: Arbitrary Code Execution via Python Omni-Completion Docstrings

CVSS 8.4 HIGHEPSS 0.1%CWE-94

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.4EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

25 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

vim · vim

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vim/vim/commit/cce141c42740f122dd8486ae04e21c2a81016ba8 https://github.com/vim/vim/releases/tag/v9.2.0699 https://github.com/vim/vim/security/advisories/GHSA-ppj8-wqjf-6fp3