CVE-2026-41411 PUBLISHED

Vim: Command injection via backtick expansion in tag filenames

Assigner: GitHub_M
Reserved: 20.04.2026 Published: 24.04.2026 Updated: 24.04.2026

Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., command), Vim executes the embedded command via the system shell with the full privileges of the running user.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
CVSS Score: 6.6

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0357 is affected

References

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE