CVE-2026-46483 PUBLISHED

Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag

Assigner: GitHub_M
Reserved: 14.05.2026 Published: 15.05.2026 Updated: 15.05.2026

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 3.6

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.479 is affected

References

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE
CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE