CVE-2026-46483
Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag
CVSS Score
3.6
EPSS Score
0.0%
EPSS Percentile
0th
Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.
| CWE | CWE-78 CWE-88 |
| Vendor | vim |
| Product | vim |
| Published | May 15, 2026 |
| Last Updated | May 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for vim vim
Be the first to know when new low vulnerabilities affecting vim vim are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
vim / vim
< 9.2.479