VDB
CVE-2026-42307
CVE-2026-42307
PUBLISHED
CVSS 4.4 MEDIUM
Reported by GitHub_M · Published May 8, 2026
Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
EPSS 0.23% · 45.8th percentile
Risk Scores
CVSS v3.1
4.4
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
EPSS Score
0.23%
45.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| vim | vim | < 9.2.0383 |
| vim | vim | * |
Timeline
- May 8, 2026 CVE Published
- May 10, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
- May 27, 2026 EPSS Score
References
- https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx x_refsource_CONFIRM
- https://github.com/vim/vim/commit/405e2fb6d54d5653523809e2853d99d1c000a5fc x_refsource_MISC
- https://github.com/vim/vim/releases/tag/v9.2.0383 x_refsource_MISC