CVE-2026-35177

Path traversal issue with zip.vim in Vim

Published: 4/6/2026 Last updated: 4/7/2026 Reserved: 4/1/2026

Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	4.1	Medium	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L

Opam packages affected (1)

conf-vim

Products affected (1)

Product	Vendor	Version
vim	vim	n/a

References (2)

https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24
https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24