๐Ÿ” CVE Alert

CVE-2026-59856

UNKNOWN 0.0

Vim: Arbitrary Code Execution via PHP Omni-Completion

CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
7th

Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.

CWE CWE-94
Vendor vim
Product vim
Published Jul 9, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for vim vim

Be the first to know when new unknown vulnerabilities affecting vim vim are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

vim / vim
< 9.2.0736

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/vim/vim/security/advisories/GHSA-fh26-8f79-wj97 github.com: https://github.com/vim/vim/commit/43afc581a37a35762dd0ef292f038b9dc5680a24