VDB
DEBIAN-CVE-2019-12735
DEBIAN-CVE-2019-12735
PUBLISHED
CVSS 8.600000381469727 HIGH
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
Risk Scores
CVSS 3.0
8.600000381469727
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | vim | 0, 0, 0 |
| Debian:11 | vim | 0, 0, 0 |
| Debian:13 | neovim | 0, 0, 0 |
| Debian:12 | neovim | 0, 0, 0 |
| Debian:14 | neovim | 0, 0, 0 |
| Debian:14 | vim | 0, 0, 0 |
| Debian:11 | neovim | 0, 0, 0 |
| Debian:12 | vim | 0, 0, 0 |
Exploit Intelligence
- datntsec/CVE-2019-12735 (github-poc-repo)
- Docker image that lets me study the exploitation of the VIM exploit (github-poc-repo)
- A demo for cve-2019-12735 (github-poc-repo)
- A demo for cve-2019-12735 (github-poc)
- Docker image that lets me study the exploitation of the VIM exploit (github-poc)
- datntsec/CVE-2019-12735 (github-poc)
- oldthree3/CVE-2019-12735-VIM-NEOVIM (github-poc)
- Vim/Neovim Arbitrary Code Execution via Modelines (CVE-2019-12735) (github-poc)
- glcve_test.go (github-poc)
Timeline
- Jun 5, 2019 CVE Published
- Apr 28, 2026 CVE Updated