{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28417", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:33:57.290Z", "datePublished": "2026-02-27T21:54:35.196Z", "dateUpdated": "2026-03-02T21:51:24.894Z"}, "containers": {"cna": {"title": "Vim has OS Command Injection in netrw", "problemTypes": [{"descriptions": [{"cweId": "CWE-86", "lang": "en", "description": "CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336"}, {"name": "https://github.com/vim/vim/commit/79348dbbc09332130f4c860", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/79348dbbc09332130f4c860"}, {"name": "https://github.com/vim/vim/releases/tag/v9.2.0073", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0073"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": "< 9.2.0073", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T21:54:35.196Z"}, "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue."}], "source": {"advisory": "GHSA-m3xh-9434-g336", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/27/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-28T00:15:30.536Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T21:51:08.852199Z", "id": "CVE-2026-28417", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T21:51:24.894Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/27/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-28T00:15:30.536Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28417", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T21:51:08.852199Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T21:51:18.274Z"}}], "cna": {"title": "Vim has OS Command Injection in netrw", "source": {"advisory": "GHSA-m3xh-9434-g336", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"status": "affected", "version": "< 9.2.0073"}]}], "references": [{"url": "https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336", "name": "https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vim/vim/commit/79348dbbc09332130f4c860", "name": "https://github.com/vim/vim/commit/79348dbbc09332130f4c860", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.2.0073", "name": "https://github.com/vim/vim/releases/tag/v9.2.0073", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-86", "description": "CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T21:54:35.196Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28417", "state": "PUBLISHED", "dateUpdated": "2026-03-02T21:51:24.894Z", "dateReserved": "2026-02-27T15:33:57.290Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T21:54:35.196Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBFE68A3-A610-426A-A470-CDF78D00BBBF", "versionEndExcluding": "9.2.0073", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue."}], "id": "CVE-2026-28417", "lastModified": "2026-03-03T17:50:29.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-27T22:16:24.833", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/79348dbbc09332130f4c860"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0073"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/02/27/6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-86"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin", "id": "2443455", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443455"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-78", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-28417", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-02-27T21:54:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28417\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28417\nhttps://github.com/vim/vim/commit/79348dbbc09332130f4c860\nhttps://github.com/vim/vim/releases/tag/v9.2.0073\nhttps://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.0073)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vim", "source": "cna", "vendor": "vim"}, "product": "vim", "vendor": "vim"}], "analysis": {"en": {"generated_at": "2026-04-17T13:52:15.658121+00:00", "value": {"mitigation_remediation": ["Upgrade Vim to version 9.2.0073 or later to apply the official fix.", "If an upgrade cannot be performed immediately, disable the netrw plugin or the scp protocol handler by commenting out its loading or setting configuration options that prevent it from executing commands.", "Avoid opening URLs from untrusted sources or consider using neutral file transfer methods that do not rely on the netrw plugin."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via OS Command Injection"}, "threat_synthesis": {"affected_systems": "Any installation of Vim that uses the bundled netrw plugin and is running a version earlier than 9.2.0073 is affected. The flaw applies to the standard Vim distribution for Linux, macOS, Windows and other platforms where the plugin is enabled, regardless of whether it is compiled with or without network protocol support.", "description_and_impact": "Vim\u2019s netrw plugin, which supports file transfer protocols, builds system commands from user\u2011supplied URLs without proper sanitization. When a user opens a crafted URL such as one using the scp:// scheme, the plugin can inject arbitrary shell commands. The injected commands execute with the privileges of the user running Vim, enabling an attacker to run code on the host with that user\u2019s rights.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a moderate severity, while the EPSS score of less than one percent suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, limiting the evidence of real\u2011world attacks. Exploitation requires the victim to open a malicious URL; the most likely attack vector is a local user or an attacker who can trick a user into opening such a link. Because the injected commands run with the same privileges as the Vim process, a local attacker can achieve privilege escalation if the Vim process is started by a privileged account. The official patch is available in Vim 9.2.0073 and later."}}}}, "created": "2026-03-02T12:04:39.593107+00:00", "updated": "2026-04-17T14:00:15.807526+00:00", "vendors": ["vim", "vim$PRODUCT$vim"]}