7.3

CVE-2026-33412

Vim affected by Command injection via newline in glob()

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VimVim Version < 9.2.0202
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.83% 0.531
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.3 1.3 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com 5.6 1.3 4.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.3 1.3 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
Patch
Vendor Advisory
https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
Patch
https://github.com/vim/vim/releases/tag/v9.2.0202
Product
http://www.openwall.com/lists/oss-security/2026/03/19/10
Patch
Third Party Advisory
Mailing List
https://access.redhat.com/errata/RHSA-2026:7335
https://access.redhat.com/errata/RHSA-2026:7243
https://access.redhat.com/errata/RHSA-2026:7239
https://access.redhat.com/errata/RHSA-2026:8423
https://access.redhat.com/errata/RHSA-2026:9832
https://access.redhat.com/errata/RHSA-2026:10065
https://access.redhat.com/errata/RHSA-2026:11768
https://access.redhat.com/errata/RHSA-2026:10097
https://access.redhat.com/errata/RHSA-2026:12274
https://access.redhat.com/errata/RHSA-2026:16174
https://access.redhat.com/errata/RHSA-2026:15087
https://access.redhat.com/errata/RHSA-2026:14773
https://access.redhat.com/errata/RHSA-2026:16008
https://access.redhat.com/errata/RHSA-2026:16009
https://access.redhat.com/errata/RHSA-2026:17596
https://access.redhat.com/errata/RHSA-2026:25096
https://access.redhat.com/errata/RHSA-2026:6502
https://access.redhat.com/errata/RHSA-2026:6539
https://access.redhat.com/errata/RHSA-2026:6540
https://access.redhat.com/errata/RHSA-2026:6617
https://access.redhat.com/errata/RHSA-2026:6619
https://access.redhat.com/errata/RHSA-2026:6620
https://access.redhat.com/errata/RHSA-2026:6725
https://access.redhat.com/errata/RHSA-2026:6729
https://access.redhat.com/errata/RHSA-2026:6730
https://access.redhat.com/errata/RHSA-2026:6731
https://access.redhat.com/errata/RHSA-2026:6736
https://access.redhat.com/errata/RHSA-2026:6915
https://access.redhat.com/errata/RHSA-2026:7711
https://access.redhat.com/errata/RHSA-2026:8259
https://access.redhat.com/security/cve/CVE-2026-33412
https://bugzilla.redhat.com/show_bug.cgi?id=2450907
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33412.json