Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-75b5ddf8c3 advisory.

    keep GTK4 in rawhide for now

    ----

    switch to GTK4 for GVim

    Fix CVE-2026-46483

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES16 / SLES_SAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:21859-1 advisory.

    This update for vim fixes the following issues

    - CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes     (bsc#1261833).
    - CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw     standard plugin       bundled with Vim (bsc#1264706).
    - CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
    - CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find     command-line       completion (bsc#1264707).
    - CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in     src/spellfile.c when       loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
    - CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing     `.tgz`       archives on Unix-like systems (bsc#1265360).

    Changes for vim:

    - Update to v9.2.0530.
    - Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20828-1 advisory.

    This update for vim fixes the following issues

    - CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes     (bsc#1261833).
    - CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw     standard plugin       bundled with Vim (bsc#1264706).
    - CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
    - CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find     command-line       completion (bsc#1264707).
    - CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in     src/spellfile.c when       loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
    - CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing     `.tgz`       archives on Unix-like systems (bsc#1265360).

    Changes for vim:

    - Update to v9.2.0530.
    - Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability     exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like     systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the     {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute     shell commands in the user's context. This vulnerability is fixed in 9.2.0479. (CVE-2026-46483)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
318269	Fedora 43 : vim (2026-75b5ddf8c3)	Nessus	Fedora Local Security Checks	high
318205	SUSE SLES16 Security Update : vim (SUSE-SU-2026:21859-1)	Nessus	SuSE Local Security Checks	medium
318124	openSUSE 16 Security Update : vim (openSUSE-SU-2026:20828-1)	Nessus	SuSE Local Security Checks	medium
315012	Linux Distros Unpatched Vulnerability : CVE-2026-46483	Nessus	Misc.	high

Detections

Analytics

CVE-2026-46483

high

Tenable Plugins

high

medium

medium

high