CVE-2026-57456

UNKNOWN 0.0

Vim: Arbitrary Code Execution via Python Omni-Completion Docstrings

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.

CWE	CWE-94
Vendor	vim
Product	vim
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for vim vim

Be the first to know when new unknown vulnerabilities affecting vim vim are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

vim / vim

< 9.2.0699

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/vim/vim/security/advisories/GHSA-ppj8-wqjf-6fp3 github.com: https://github.com/vim/vim/commit/cce141c42740f122dd8486ae04e21c2a81016ba8 github.com: https://github.com/vim/vim/releases/tag/v9.2.0699