CVE-2026-33412 MEDIUM

CVE-2026-33412: Vim affected by Command injection via newline in glob()

Vendor Vim
Product vim
Weakness CWE-78
Published March 24, 2026
Last update June 30, 2026

CVSS base score

5.6/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Key dates

02Disclosure timeline

March 24, 2026 CVE published
June 30, 2026 Record updated