CVE-2026-33412OS Command Injection in VIM

CWE-78OS Command Injection21 documents8 sources
Severity
7.3HIGHNVD
EPSS
0.0%
top 99.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
VIMDebian VIMMsrc Azl3 VIM 9.2.0088-1 ON Azure Linux 3.0+1 more
Timeline
PublishedMar 24
Latest updateApr 13

Description

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages5 packages

NVDvim/vim< 9.2.0202
debiandebian/vim< vim 2:9.2.0218-1 (forky)
Debianvim/vim< 2:9.2.0218-1

Patches

Patch: github.comPatch: github.comPatch: www.openwall.com

🔴Vulnerability Details

1
OSV
CVE-2026-33412: Vim is an open source, command line text editor2026-03-24

📋Vendor Advisories

4
Ubuntu
Vim vulnerabilities2026-04-13
Red Hat
vim: Vim: Arbitrary code execution via command injection in glob() function2026-03-24
Microsoft
Vim affected by Command injection via newline in glob()2026-03-10
Debian
CVE-2026-33412: vim - Vim is an open source, command line text editor. Prior to version 9.2.0202, a co...2026

🕵️Threat Intelligence

14
Wiz
CVE-2026-34714 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-28422 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-28419 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-25749 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-28420 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function2026-03-24
CVE-2026-33412 — OS Command Injection in VIM | cvebase