CVE-2025-53906Path Traversal in VIM

CWE-22Path Traversal13 documents9 sources
Severity
4.1MEDIUMNVD
EPSS
0.0%
top 90.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
VIMDebian VIMApple Macos Tahoe+4 more
Timeline
PublishedJul 15
Latest updateApr 6

Description

Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a fi

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:LExploitability: 1.0 | Impact: 2.7

Affected Packages9 packages

CVEListV5vim/vim< 9.2.0280
NVDvim/vim< 9.1.1551
debiandebian/vim< vim 2:9.1.1829-1 (forky)+1
Debianvim/vim< 2:9.1.1829-1
Appleapple/macos_tahoe26.1

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
CVE-2026-35177: Vim is an open source, command line text editor2026-04-06
OSV
CVE-2025-53906: Vim is an open source, command line text editor2025-07-15

📋Vendor Advisories

7
Red Hat
vim: zip.vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass2026-04-06
Debian
CVE-2026-35177: vim - Vim is an open source, command line text editor. Prior to 9.2.0280, a path trave...2026
Apple
CVE-2025-53906: macOS Tahoe 26.12025-11-03
Ubuntu
Vim vulnerabilities2025-09-15
Red Hat
vim: Vim path traversal2025-07-15

🕵️Threat Intelligence

1
Wiz
CVE-2026-35177 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-35177 vim: zip.vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass2026-04-06
CVE-2025-53906 — Path Traversal in VIM | cvebase