CVE-2026-34714 PUBLISHED

Assigner: mitre
Reserved: 30.03.2026 Published: 30.03.2026 Updated: 31.03.2026

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
CVSS Score: 9.2

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Vim
Product	Vim
Versions	Default: unaffected affected from 0 to 9.2.0272 (excl.)

References

https://www.openwall.com/lists/oss-security/2026/03/30/3
https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459
https://github.com/vim/vim/releases/tag/v9.2.0272

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE