CVE-2026-34982 PUBLISHED

Vim modeline bypass via various options affects Vim < 9.2.0276

Assigner: GitHub_M
Reserved: 31.03.2026 Published: 06.04.2026 Updated: 06.04.2026

Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The complete, guitabtooltip and printheader options are missing the P_MLE flag, allowing a modeline to be executed. Additionally, the mapset() function lacks a check_secure() call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CVSS Score: 8.2

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0276 is affected

References

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE