CVE-2026-28417

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.4 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N                                    

Vulnerability Description

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.

Vulnerability Details

Published Date

February 27, 2026

Last Modified

February 28, 2026

CWE ID

CWE-86

Source

NVD

Vendor

vim

Product

vim

External References

https://github.com/vim/vim/commit/79348dbbc09332130f4c860
https://github.com/vim/vim/releases/tag/v9.2.0073
https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336

CVE-2026-28417

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment