Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:28133 advisory.

    Vim (Vi IMproved) is an updated and improved version of the vi editor.

    Security Fix(es):

    * vim: arbitrary command execution via modeline sandbox bypass (CVE-2026-34982)

    * vim: zip.vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass (CVE-2026-35177)

    * vim: Vim: Command injection allows arbitrary code execution via malicious tag files (CVE-2026-41411)

    * vim: command injection when decompressing .tgz archives (CVE-2026-46483)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1862 advisory.

    Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's     zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives,     circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
    (CVE-2026-35177)

    Ex command injection in Vim's NetBeans integration before v9.2.0316. The netbeans defineAnnoType command     passes typeName, fg and bg unsanitized to coloncmd(), allowing a malicious NetBeans server to inject     arbitrary Ex commands via '|'. Similarly, specialKeys does not validate key tokens before building a map     command. (CVE-2026-39881)

    Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection     vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted     URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell     commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
    (CVE-2026-42307)

    A Vimscript code injection vulnerability exists in `s:NetrwMarkFile()` in thenetrw plugin     (`runtime/pack/dist/opt/netrw/autoload/netrw.vim`) whenunmarking files from the global marked-file list.
    A filename derivedfrom the buffer's directory listing is interpolated into a stringexpression passed to     `filter()`, allowing a crafted filename containinga double quote to break out of the quoted string literal     and executearbitrary Vimscript, including shell commands via `execute()` and `:!`.

    ## Description`s:NetrwMarkFile()` maintains two marked-file lists: a buffer-local listand a global list.
    When a file is unmarked, both lists are updated.The buffer-local list uses the safe pattern:

    call filter(s:netrwmarkfilelist_{curbufnr},'v:val != a:fname')

    where `a:fname` is referenced as a variable inside the filter expressionand resolved at evaluation time.
    The global list, however, interpolatedthe filename's value directly into the expression string:

    let dname = netrw#fs#ComposePath(b:netrw_curdir, a:fname)...call filter(s:netrwmarkfilelist, 'v:val !=     '.dname.'')

    When `filter()` receives a string argument, the string is parsed as aVimscript expression.  A filename     containing `` terminates the quotedliteral early, after which the remainder of the filename is evaluated     asVimscript.  Calls such as `execute(!cmd)` inside the injected fragmentrun arbitrary Ex commands with     the privileges of the user running Vim.The filename reaches `s:NetrwMarkFile()` through the `mf` mapping,     whichcalls `s:NetrwGetWord()` to read the filename from the current line ofthe netrw directory listing.
    The injection only triggers on the second`mf` press for a given entry, because the first press takes     the`add()` branch and only the second takes the vulnerable `filter()`branch. (CVE-2026-43961)

    Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection     vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-     enclosed shell commands, those commands are executed during file name completion. Because the path option     lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of     a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find     completion. This issue has been patched in version 9.2.0435. (CVE-2026-44656)

    Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists     in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active.
    An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer     multiplication, causing a small buffer to be allocated for a write loop that runs many iterations,     overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can     trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has     been patched in version 9.2.0450. (CVE-2026-45130)

    Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability     exists in tar#Vimuntar() inruntime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems.
    The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag,     allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in     the user's context. This vulnerability is fixed in 9.2.0479. (CVE-2026-46483)

    Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection     vulnerability exists in s:NetrwBookHistSave() in the netrw plugin     (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history     file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted     Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to     break out of the string context and execute arbitrary Vimscript, including shell commands via system() and     :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
    (CVE-2026-47162)

    Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability     exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with     +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or     stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing     a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary     shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version     9.2.0496. (CVE-2026-47167)

    Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion     script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy     pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found     in the current buffer through Python's import machinery. Because the buffer's working directory is on     sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that     package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
    (CVE-2026-52858)

    Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function     in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken.
    For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it     encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots -- a     base character plus five combining marks -- the bundled libvterm returns the array without a terminating     NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer     reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger     this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in     version 9.2.0565. (CVE-2026-52859)

    Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion     executes reconstructed function and class definitions from the current buffer with exec() as part of     populating the completion dictionary. Python evaluates function default values, parameter annotations, and     class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python     expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-     rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from     statement. This issue has been patched in version 9.2.0597. (CVE-2026-52860)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:28050 advisory.

    Vim (Vi IMproved) is an updated and improved version of the vi editor.

    Security Fix(es):

    * vim: arbitrary command execution via modeline sandbox bypass (CVE-2026-34982)

    * vim: zip.vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass (CVE-2026-35177)

    * vim: Vim: Command injection allows arbitrary code execution via malicious tag files (CVE-2026-41411)

    * vim: command injection when decompressing .tgz archives (CVE-2026-46483)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:28049 advisory.

    Vim (Vi IMproved) is an updated and improved version of the vi editor.

    Security Fix(es):

    * vim: arbitrary command execution via modeline sandbox bypass (CVE-2026-34982)

    * vim: zip.vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass (CVE-2026-35177)

    * vim: Vim: Command injection allows arbitrary code execution via malicious tag files (CVE-2026-41411)

    * vim: command injection when decompressing .tgz archives (CVE-2026-46483)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0347 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2026-46483:
    Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability     exists in tar#Vimuntar() in     runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds     :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted     archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's     context. This vulnerability is fixed in 9.2.0479.

    CVE-2025-24014:
    Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In     silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode.
    However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim     by feeding some binary characters to Vim. The function that handles the scrolling however may be     triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been     allocated (since there is no screen). This vulnerability is fixed in 9.1.1043.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2313-1 advisory.

    This update for vim fixes the following issues

    - CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes     (bsc#1261833).
    - CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw     standard plugin       bundled with Vim (bsc#1264706).
    - CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
    - CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find     command-line       completion (bsc#1264707).
    - CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in     src/spellfile.c when       loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
    - CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing     `.tgz`       archives on Unix-like systems (bsc#1265360).

    Changes for vim:

    - Update to v9.2.0530.
    - Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8415-1 advisory.

    It was discovered that Vim incorrectly handled marked filenames in the netrw plugin. An attacker could     possibly use this issue to execute arbitrary code. (CVE-2026-43961)

    It was discovered that Vim incorrectly handled filenames when decompressing certain archives. An attacker     could possibly use this issue to execute arbitrary code. (CVE-2026-46483)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-75b5ddf8c3 advisory.

    keep GTK4 in rawhide for now

    ----

    switch to GTK4 for GVim

    Fix CVE-2026-46483

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES16 / SLES_SAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:21859-1 advisory.

    This update for vim fixes the following issues

    - CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes     (bsc#1261833).
    - CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw     standard plugin       bundled with Vim (bsc#1264706).
    - CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
    - CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find     command-line       completion (bsc#1264707).
    - CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in     src/spellfile.c when       loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
    - CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing     `.tgz`       archives on Unix-like systems (bsc#1265360).

    Changes for vim:

    - Update to v9.2.0530.
    - Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20828-1 advisory.

    This update for vim fixes the following issues

    - CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes     (bsc#1261833).
    - CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw     standard plugin       bundled with Vim (bsc#1264706).
    - CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
    - CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find     command-line       completion (bsc#1264707).
    - CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in     src/spellfile.c when       loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
    - CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing     `.tgz`       archives on Unix-like systems (bsc#1265360).

    Changes for vim:

    - Update to v9.2.0530.
    - Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability     exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like     systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the     {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute     shell commands in the user's context. This vulnerability is fixed in 9.2.0479. (CVE-2026-46483)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
322216	RHEL 9 : vim (RHSA-2026:28133)	Nessus	Red Hat Local Security Checks	high
322106	Amazon Linux 2023 : vim-common, vim-data, vim-default-editor (ALAS2023-2026-1862)	Nessus	Amazon Linux Local Security Checks	high
321984	RHEL 9 : vim (RHSA-2026:28050)	Nessus	Red Hat Local Security Checks	high
321978	RHEL 9 : vim (RHSA-2026:28049)	Nessus	Red Hat Local Security Checks	high
321109	TencentOS Server 4: vim (TSSA-2026:0347)	Nessus	Tencent Local Security Checks	high
321049	SUSE SLES15 Security Update : vim (SUSE-SU-2026:2313-1)	Nessus	SuSE Local Security Checks	medium
320392	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Vim vulnerabilities (USN-8415-1)	Nessus	Ubuntu Local Security Checks	high
318269	Fedora 43 : vim (2026-75b5ddf8c3)	Nessus	Fedora Local Security Checks	high
318205	SUSE SLES16 Security Update : vim (SUSE-SU-2026:21859-1)	Nessus	SuSE Local Security Checks	medium
318124	openSUSE 16 Security Update : vim (openSUSE-SU-2026:20828-1)	Nessus	SuSE Local Security Checks	medium
315012	Linux Distros Unpatched Vulnerability : CVE-2026-46483	Nessus	Misc.	high

Detections

Analytics

CVE-2026-46483

high

Tenable Plugins

high

high

high

high

high

medium

high

high

medium

medium

high