CVE-2026-55895

UNKNOWN 0.0

Vim: Vimscript Code Injection in netrw NetrwLocalRmFile() via crafted filename

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.

CWE	CWE-78 CWE-94
Vendor	vim
Product	vim
Published	Jun 25, 2026
Last Updated	Jun 26, 2026

Stay Ahead of the Next One

Get instant alerts for vim vim

Be the first to know when new unknown vulnerabilities affecting vim vim are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

vim / vim

< 9.2.0663

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/vim/vim/security/advisories/GHSA-vhh8-v6wx-hjjh github.com: https://github.com/vim/vim/commit/55bc757a5d436e59d50fe43f7cda94b118f86cb2 github.com: https://github.com/vim/vim/releases/tag/v9.2.0663