CVE-2026-33412

EPSS 0.01%
Veröffentlicht 24.03.2026 19:43:07
Zuletzt bearbeitet 25.03.2026 21:59:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vim affected by Command injection via newline in glob()

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vim ≫ Vim Version < 9.2.0202

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.011

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.3	1.3	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	5.6	1.3	4.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c

Patch

Vendor Advisory

https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a

Patch

https://github.com/vim/vim/releases/tag/v9.2.0202

Product

http://www.openwall.com/lists/oss-security/2026/03/19/10

Patch

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-33412