CVE-2026-47162 PUBLISHED

Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name

Assigner: GitHub_M
Reserved: 18.05.2026 Published: 11.06.2026 Updated: 12.06.2026

Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	Low
User Interaction	Active

CVSS 4.0

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0495 is affected

References

Problem Types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE
CWE-94: Improper Control of Generation of Code ('Code Injection') CWE