CVE-2026-46483
3.6 LOWVim is an open source, command line text editor
Published: 2026-05-15 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 3.6 LOW
- Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
- CWE
- CWE-78, CWE-88
Affected products
| Vendor | Product |
|---|---|
| vim | vim |
Description
Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-45130 — Vim is an open source, command line text editor (6.6 MEDIUM)
- CVE-2026-25749 — Vim is an open source, command line text editor (6.6 MEDIUM)
- CVE-2025-22134 — When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because... (4.2 MEDIUM)
- CVE-2024-43374 — The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling (4.5 MEDIUM)
- CVE-2021-4019 — vim is vulnerable to Heap-based Buffer Overflow (7.8 HIGH)
Same CWE
- CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
- CVE-2026-42563 — Dulwich is a pure-Python implementation of the Git file formats and protocols
- CVE-2026-0273 — A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrict...
- CVE-2026-6893 — A flaw was found in dracut (8.8 HIGH)
- CVE-2026-46643 — Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page