← voltar
CVE-2026-42307

Vim: OS Command Injection in netrw

CVSS 4.4 MEDIUMEPSS 0.8%CWE-78
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 4.4EPSS 0.8%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
08 mai 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Produtos afetados
vim · vim

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/vim/vim/commit/405e2fb6d54d5653523809e2853d99d1c000a5fchttps://github.com/vim/vim/releases/tag/v9.2.0383https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx