CVE-2026-39881

Vim Ex command injection in Vims NetBeans integration

Published: 4/8/2026 Last updated: 4/9/2026 Reserved: 4/7/2026

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	5	Medium	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N

Opam packages affected (1)

conf-vim

Products affected (2)

Product	Vendor	Version
vim	vim	n/a
vim	vim	n/a

References (6)

https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19
https://github.com/vim/vim/releases/tag/v9.2.0316
https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6
https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19
https://github.com/vim/vim/releases/tag/v9.2.0316
https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6