CVE-2026-35177 — Path Traversal in VIM

CWE-22 — Path Traversal34 documents7 sources

Severity

4.1MEDIUMNVD

EPSS

0.0%

top 96.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian VIM Msrc Azl3 VIM 9.2.0240-1 ON Azure Linux 3.0 Msrc Cbl2 VIM 9.2.0240-1 ON CBL Mariner 2.0

Timeline

PublishedApr 6

Description

Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:LExploitability: 1.0 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/vim< vim 2:9.2.0315-1 (sid)

▶msrcmsrc/azl3_vim_9.2.0240-1_on_azure_linux_3.0

▶msrcmsrc/cbl2_vim_9.2.0240-1_on_cbl_mariner_2.0

🔴Vulnerability Details

OSV

CVE-2026-35177: Vim is an open source, command line text editor↗2026-04-06

▶

📋Vendor Advisories

Red Hat

vim: zip.vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass↗2026-04-06

▶

Microsoft

Path traversal issue with zip.vim in Vim↗2026-04-02

▶

Debian

CVE-2026-35177: vim - Vim is an open source, command line text editor. Prior to 9.2.0280, a path trave...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-34714 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-34379 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-28422 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-34378 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-28419 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass [fedora-42]↗2026-04-06

▶

Bugzilla

CVE-2026-35177 vim: zip.vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass↗2026-04-06

▶