Description

Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.

Severity (CVSS)

Base score5.7
SeverityMedium
VersionCVSS 4.0
VectorCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Provided byCNA

Weaknesses

  • CWE-78 — CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-94 — CWE-94: Improper Control of Generation of Code ('Code Injection')

Affected products

VendorProductVersions
vimvim< 9.2.0663

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 26 Jun 2026 07:05 UTC.