{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34982", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T19:38:31.617Z", "datePublished": "2026-04-06T15:16:48.809Z", "dateUpdated": "2026-04-07T03:56:01.436Z"}, "containers": {"cna": {"title": "Vim modeline bypass via various options affects Vim < 9.2.0276", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9"}, {"name": "https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615"}, {"name": "https://github.com/vim/vim/releases/tag/v9.2.0276", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0276"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": "< 9.2.0276", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:16:48.809Z"}, "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue."}], "source": {"advisory": "GHSA-8h6p-m6gr-mpw9", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/01/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-06T15:19:17.901Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-34982"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T03:56:01.436Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/01/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-06T15:19:17.901Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34982", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T15:33:37.790133Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:33:40.983Z"}}], "cna": {"title": "Vim modeline bypass via various options affects Vim < 9.2.0276", "source": {"advisory": "GHSA-8h6p-m6gr-mpw9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"status": "affected", "version": "< 9.2.0276"}]}], "references": [{"url": "https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9", "name": "https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615", "name": "https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.2.0276", "name": "https://github.com/vim/vim/releases/tag/v9.2.0276", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:16:48.809Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34982", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:40:39.509Z", "dateReserved": "2026-03-31T19:38:31.617Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T15:16:48.809Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "B64DB9F0-F10B-40FA-A094-9178E5991FFF", "versionEndExcluding": "9.2.0276", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue."}], "id": "CVE-2026-34982", "lastModified": "2026-04-22T20:10:01.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T16:16:38.777", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0276"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/01/1"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vim: arbitrary command execution via modeline sandbox bypass", "id": "2455400", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455400"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in Vim. A modeline is used to set specific editor options directly from a text file. However, the `complete`, `guitabtooltip`, `printheader` options and the `mapset` function lack proper security checks, allowing an attacker to bypass restrictions and cause arbitrary OS command execution."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, disable the modeline support by adding the following command to the Vim configuration file:\n~~~\nset nomodeline\n~~~"}, "name": "CVE-2026-34982", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-06T15:16:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34982\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34982\nhttp://www.openwall.com/lists/oss-security/2026/04/01/1\nhttps://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615\nhttps://github.com/vim/vim/releases/tag/v9.2.0276\nhttps://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9"], "statement": "To exploit this vulnerability, an attacker needs to convince a user to open a specially crafted file. The arbitrary OS command execution is restricted to the privileges of the user running Vim, limiting the potential of a full system compromise.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.0276)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vim", "source": "cna", "vendor": "vim"}, "product": "vim", "vendor": "vim"}], "analysis": {"en": {"generated_at": "2026-04-06T17:37:35.925569+00:00", "value": {"mitigation_remediation": ["Apply Vim update 9.2.0276 or newer to resolve the issue.", "If updating is not immediately possible, disable modeline parsing by setting the 'modeline' option to off until a patch is applied.", "Avoid using the 'complete', 'guitabtooltip', or 'printheader' options with untrusted files.", "Do not execute 'mapset()' in sandboxed or untrusted expressions.", "Verify the integrity of Vim binaries and ensure they match official signatures."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the open\u2011source Vim text editor, specifically all releases older than 9.2.0276. Users of Vim 9.2.0275 and earlier are susceptible. The vulnerability is present in the main Vim distribution (vim:vim) and any derivative that has not applied the patch from commit 75661a66a1db1e1f3f1245c615.", "description_and_impact": "A modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a specially crafted file. The missing P_MLE flag in several options enables the modeline to run commands. In addition, mapset() can be abused by sandboxed expressions. The vulnerability is a classic command injection flaw (CWE\u201178) that can compromise confidentiality, integrity, and availability by allowing an attacker to run system commands with the privileges of the Vim process.", "risk_and_exploitability": "The CVSS score of 8.2 reflects high severity. The EPSS score is not reported, but the vulnerability is not listed in CISA's KEV catalog, indicating no known widespread exploitation. The likely attack vector is local or when an attacker can prompt a user to open a crafted file, such as through a shared drive or email attachment. Exploitation requires no special permissions beyond the victim\u2019s Vim session, making it an attractive target for attackers seeking privilege escalation on a compromised machine."}}}}, "created": "2026-04-06T20:14:10.539564+00:00", "updated": "2026-04-06T21:32:23.613390+00:00", "vendors": ["vim", "vim$PRODUCT$vim"]}