CVE-2025-66476

EPSS 0.01%
Veröffentlicht 02.12.2025 21:49:24
Zuletzt bearbeitet 30.01.2026 18:50:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vim ≫ Vim Version < 9.1.1947

Microsoft ≫ Windows Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.018

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-427 Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834

Patch

Vendor Advisory

https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25

Patch

https://github.com/vim/vim/releases/tag/v9.1.1947

Release Notes

http://www.openwall.com/lists/oss-security/2025/12/02/5

Patch

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2025-66476

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66476

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66476

EUVD