{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39881", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T20:32:03.010Z", "datePublished": "2026-04-08T20:18:19.774Z", "dateUpdated": "2026-04-09T13:50:24.001Z"}, "containers": {"cna": {"title": "Vim Ex command injection in Vims NetBeans integration", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6"}, {"name": "https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19"}, {"name": "https://github.com/vim/vim/releases/tag/v9.2.0316", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0316"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": "< 9.2.0316", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:18:19.774Z"}, "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316."}], "source": {"advisory": "GHSA-mr87-rhgv-7pw6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T13:50:15.915453Z", "id": "CVE-2026-39881", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:50:24.001Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Vim Ex command injection in Vims NetBeans integration", "source": {"advisory": "GHSA-mr87-rhgv-7pw6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"status": "affected", "version": "< 9.2.0316"}]}], "references": [{"url": "https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6", "name": "https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19", "name": "https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.2.0316", "name": "https://github.com/vim/vim/releases/tag/v9.2.0316", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:18:19.774Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39881", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T13:50:15.915453Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-09T13:50:19.099Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-39881", "state": "PUBLISHED", "dateUpdated": "2026-04-08T20:18:19.774Z", "dateReserved": "2026-04-07T20:32:03.010Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T20:18:19.774Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "A710E88E-39B9-4ACE-B88A-1B5E60BC2674", "versionEndExcluding": "9.2.0316", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316."}], "id": "CVE-2026-39881", "lastModified": "2026-04-22T16:50:17.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T21:17:00.400", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0316"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vim: Vim: Arbitrary code execution via command injection in NetBeans interface", "id": "2456722", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456722"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in Vim. A command injection vulnerability in Vim's NetBeans interface allows a malicious NetBeans server to execute arbitrary Ex commands when Vim connects to it. This occurs due to unsanitized strings in the defineAnnoType and specialKeys protocol messages, leading to arbitrary code execution."], "name": "CVE-2026-39881", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-08T20:18:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-39881\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39881\nhttps://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19\nhttps://github.com/vim/vim/releases/tag/v9.2.0316\nhttps://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.0316)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vim", "source": "cna", "vendor": "vim"}, "product": "vim", "vendor": "vim"}], "analysis": {"en": {"generated_at": "2026-04-09T01:50:52.587365+00:00", "value": {"mitigation_remediation": ["Update Vim to version 9.2.0316 or later to eliminate the command injection flaw.", "If immediate update is not feasible, disable the NetBeans integration feature in Vim or avoid connecting to NetBeans servers that are not trusted until a patch is applied."], "summary": {"action": "Patch", "impact": "Command Execution"}, "threat_synthesis": {"affected_systems": "All Vim releases older than 9.2.0316 that enable the NetBeans integration feature are affected. Users who run Vim and connect to any NetBeans server are at risk, irrespective of the operating system, as long as the Vim client is using the vulnerable integration.", "description_and_impact": "Vim\u2019s NetBeans integration contains a command injection flaw that allows a malicious NetBeans server to send unsanitized strings to the Vim client. These strings are interpreted as Ex commands by Vim, giving the attacker the ability to run arbitrary commands on the machine where Vim is executing. The vulnerability stems from insufficient input validation in the defineAnnoType and specialKeys protocol messages.", "risk_and_exploitability": "The CVSS score of 5 indicates a moderate risk level and the EPSS score is unavailable, meaning the likely exploitation probability is not quantified. The vulnerability is not part of the CISA KEV catalog. Based on the description, it is inferred that the attacker must control the NetBeans server that the Vim client connects to, and the command injection occurs during the establishment of that connection. Exploitability therefore depends on the presence of an attacker\u2011controlled NetBeans service that the victim chooses to connect to or is automatically connected to through configuration."}}}}, "created": "2026-04-09T08:17:59.814757+00:00", "updated": "2026-04-09T08:27:22.971565+00:00", "vendors": ["vim", "vim$PRODUCT$vim"]}