CVE-2026-44656

Vim: OS Command Injection via 'path' completion

Published: 5/8/2026 Last updated: 5/11/2026 Reserved: 5/7/2026

Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
4.0	4.6	Medium	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Opam packages affected (1)

conf-vim

Products affected (2)

Product	Vendor	Version
vim	vim	n/a
vim	vim	Cisco Unified Customer Voice Portal

CVE-2026-44656

Vim: OS Command Injection via 'path' completion

Metrics

Opam packages affected (1)

Products affected (2)

References (6)