Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.

amazon_alas ALAS2023-2026-1862: Amazon Linux 2023 Security Advisory:ALAS2023-2026-1862

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2313-1 advisory.

    This update for vim fixes the following issues

    - CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes     (bsc#1261833).
    - CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw     standard plugin       bundled with Vim (bsc#1264706).
    - CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
    - CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find     command-line       completion (bsc#1264707).
    - CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in     src/spellfile.c when       loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
    - CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing     `.tgz`       archives on Unix-like systems (bsc#1265360).

    Changes for vim:

    - Update to v9.2.0530.
    - Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0317 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2026-44656:
    Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection     vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-     enclosed shell commands, those commands are executed during file name completion. Because the path option     lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of     a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find     completion. This issue has been patched in version 9.2.0435.

    CVE-2026-42307:
    Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection     vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted     URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell     commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES16 / SLES_SAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:21859-1 advisory.

    This update for vim fixes the following issues

    - CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes     (bsc#1261833).
    - CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw     standard plugin       bundled with Vim (bsc#1264706).
    - CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
    - CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find     command-line       completion (bsc#1264707).
    - CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in     src/spellfile.c when       loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
    - CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing     `.tgz`       archives on Unix-like systems (bsc#1265360).

    Changes for vim:

    - Update to v9.2.0530.
    - Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20828-1 advisory.

    This update for vim fixes the following issues

    - CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes     (bsc#1261833).
    - CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw     standard plugin       bundled with Vim (bsc#1264706).
    - CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
    - CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find     command-line       completion (bsc#1264707).
    - CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in     src/spellfile.c when       loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
    - CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing     `.tgz`       archives on Unix-like systems (bsc#1265360).

    Changes for vim:

    - Update to v9.2.0530.
    - Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Vim installed on the remote host is prior to 9.2.0383. It is, therefore, affected by a vulnerability as referenced in the GHSA-85ch-p2qr-m5gx advisory.

  - An OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. The suffix     extraction logic in s:GetTempfile() allows arbitrary characters after the dot in a filename, permitting     shell metacharacters to be embedded in the suffix. Since this temporary file name is passed to external     commands without proper escaping, an attacker can inject arbitrary shell commands by inducing a user to     open a crafted URL. This vulnerability is fixed in 9.2.0383. (CVE-2026-42307)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8304-1 advisory.

    Joshua Rogers discovered that Vim incorrectly handled certain URL schemes in the netrw plugin. An attacker     could possibly use this issue to execute arbitrary commands. (CVE-2026-42307)

    It was discovered that Vim incorrectly handled command-line completion for the :find command. An attacker     could possibly use this issue to execute arbitrary commands. (CVE-2026-44656)

    Daniel Cervera discovered that Vim incorrectly handled loading spell files. An attacker could possibly use     this issue to cause a denial of service, or to execute arbitrary code. (CVE-2026-45130)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection     vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted     URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell     commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
    (CVE-2026-42307)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
321049	SUSE SLES15 Security Update : vim (SUSE-SU-2026:2313-1)	Nessus	SuSE Local Security Checks	medium
319730	TencentOS Server 4: vim (TSSA-2026:0317)	Nessus	Tencent Local Security Checks	medium
318205	SUSE SLES16 Security Update : vim (SUSE-SU-2026:21859-1)	Nessus	SuSE Local Security Checks	medium
318124	openSUSE 16 Security Update : vim (openSUSE-SU-2026:20828-1)	Nessus	SuSE Local Security Checks	medium
317737	Vim < 9.2.0383 OS Command Injection in netrw (GHSA-85ch-p2qr-m5gx)	Nessus	Misc.	medium
316886	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Vim vulnerabilities (USN-8304-1)	Nessus	Ubuntu Local Security Checks	medium
313604	Linux Distros Unpatched Vulnerability : CVE-2026-42307	Nessus	Misc.	medium

Detections

Analytics

CVE-2026-42307

medium

Tenable Plugins

Coming Soon

medium

medium

medium

medium

medium

medium

medium