CVE-2026-39881 PUBLISHED

Vim Ex command injection in Vims NetBeans integration

Assigner: GitHub_M
Reserved: 07.04.2026 Published: 08.04.2026 Updated: 08.04.2026

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N
CVSS Score: 5

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0316 is affected

References

https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6
https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19
https://github.com/vim/vim/releases/tag/v9.2.0316

Problem Types

CWE-94: Improper Control of Generation of Code ('Code Injection') CWE