CVE-2025-66476

EPSS 0.01%
Veröffentlicht 02.12.2025 21:49:24
Zuletzt bearbeitet 04.12.2025 17:15:08
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellervim

≫

Produkt vim

Version < 9.1.1947

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.014

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-427 Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834

https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25

https://github.com/vim/vim/releases/tag/v9.1.1947

http://www.openwall.com/lists/oss-security/2025/12/02/5

https://nvd.nist.gov/vuln/detail/CVE-2025-66476

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66476

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66476

EUVD