CVE-2026-28417Improper Neutralization of Invalid Characters in Identifiers in Web Pages in VIM

CWE-86Improper Neutralization of Invalid Characters in Identifiers in Web PagesCWE-78OS Command Injection9 documents8 sources
Severity
7.8HIGHNVD
OSV6.6
EPSS
0.0%
top 98.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
VIMDebian VIMMsrc Azl3 VIM 9.1.1616-1 ON Azure Linux 3.0+1 more
Timeline
PublishedFeb 27
Latest updateMar 16

Description

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

NVDvim/vim< 9.2.0073
debiandebian/vim< vim 2:9.2.0119-1 (forky)
Debianvim/vim< 2:9.2.0119-1
Ubuntuvim/vim< 2:8.2.3995-1ubuntu2.26+6

Patches

Patch: github.comPatch: github.comPatch: www.openwall.com

🔴Vulnerability Details

2
OSV
vim vulnerabilities2026-03-16
OSV
CVE-2026-28417: Vim is an open source, command line text editor2026-02-27

📋Vendor Advisories

4
Ubuntu
Vim vulnerabilities2026-03-16
Red Hat
vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin2026-02-27
Microsoft
Vim has OS Command Injection in netrw2026-02-10
Debian
CVE-2026-28417: vim - Vim is an open source, command line text editor. Prior to version 9.2.0073, an O...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-28417 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin2026-02-27
CVE-2026-28417 — VIM vulnerability | cvebase