CVE-2026-39881 — Code Injection in VIM

CWE-94 — Code Injection CWE-78 — OS Command Injection8 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.2%

top 63.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

VIM Debian VIM

Timeline

PublishedApr 8

Latest updateApr 13

Description

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:NExploitability: 0.8 | Impact: 4.2

Affected Packages2 packages

▶CVEListV5vim/vim< 9.2.0316

▶debiandebian/vim

🔴Vulnerability Details

VulDB

vim up to 9.2.315 defineAnnoType/specialKeys code injection (GHSA-mr87-rhgv-7pw6 / Nessus ID 305618)↗2026-04-13

▶

OSV

CVE-2026-39881: Vim is an open source, command line text editor↗2026-04-08

▶

📋Vendor Advisories

Red Hat

vim: Vim: Arbitrary code execution via command injection in NetBeans interface↗2026-04-08

▶

Debian

CVE-2026-39881: vim - Vim is an open source, command line text editor. Prior to 9.2.0316, a command in...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-39881 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-39881 vim: Vim: Arbitrary code execution via command injection in NetBeans interface [fedora-all]↗2026-04-08

▶

Bugzilla

CVE-2026-39881 vim: Vim: Arbitrary code execution via command injection in NetBeans interface↗2026-04-08

▶