CVE-2026-41411

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.6 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L                                    

Vulnerability Description

Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.

Vulnerability Details

Published Date

April 24, 2026

Last Modified

April 24, 2026

CWE ID

CWE-78

Source

NVD

Vendor

vim

Product

vim

External References

https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb
https://github.com/vim/vim/releases/tag/v9.2.0357
https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8

CVE-2026-41411

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment