CVE-2026-46483 LOW

CVE-2026-46483: Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag

Vendor Vim

Product vim

Weakness CWE-78

Published May 15, 2026

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

3.6/10

Attack vector Local

Attack complexity High

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

Key dates

02Disclosure timeline

May 15, 2026 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-46483

Related vulnerabilities

CVE-2026-46483: Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag

01Description

02Disclosure timeline

03References

04Related CVE