CVE-2026-33412 PUBLISHED

Vim affected by Command injection via newline in glob()

Assigner: GitHub_M
Reserved: 19.03.2026 Published: 24.03.2026 Updated: 24.03.2026

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
CVSS Score: 5.6

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0202 is affected

References

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE