CVE-2026-33412

EUVD-2026-14998
Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.6 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
GitHub_MCNA
5.6 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
vimvim
𝑥
< 9.2.0202
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
vim
bookworm
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
2:9.2.0218-1
fixed
sid
2:9.2.0218-1
fixed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
vim
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
https://github.com/vim/vim/releases/tag/v9.2.0202
https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
http://www.openwall.com/lists/oss-security/2026/03/19/10