CVE-2026-28417 PUBLISHED

Vim has OS Command Injection in netrw

Assigner: GitHub_M
Reserved: 27.02.2026 Published: 27.02.2026 Updated: 28.02.2026

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the scp:// protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 4.4

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0073 is affected

References

https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336
https://github.com/vim/vim/commit/79348dbbc09332130f4c860
https://github.com/vim/vim/releases/tag/v9.2.0073

Problem Types

CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages CWE