CVE-2026-47167 PUBLISHED

Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex

Assigner: GitHub_M
Reserved: 18.05.2026 Published: 11.06.2026 Updated: 12.06.2026

Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features// or stories// directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0496 is affected

References

Problem Types

CWE-94: Improper Control of Generation of Code ('Code Injection') CWE
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE