CVE-2026-35177

EUVD-2026-19426
Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.1 MEDIUM
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
vimvim
𝑥
< 9.2.0280
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
vim
bookworm
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
2:9.2.0524-1
fixed
sid
2:9.2.0524-1
fixed
trixie
vulnerable
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
vim-X11
RHEL 8.4 AUS
2:8.0.1763-15.el8_4.2
fixed
RHEL 8.6 AUS
2:8.0.1763-19.el8_6.6
fixed
RHEL 8.8 E4S
2:8.0.1763-20.el8_8.2
fixed
RHEL 8.8 TUS
2:8.0.1763-20.el8_8.2
fixed
vim-common
RHEL 8.4 AUS
2:8.0.1763-15.el8_4.2
fixed
RHEL 8.6 AUS
2:8.0.1763-19.el8_6.6
fixed
RHEL 8.8 E4S
2:8.0.1763-20.el8_8.2
fixed
RHEL 8.8 TUS
2:8.0.1763-20.el8_8.2
fixed
RHEL 9
2:8.2.2637-26.el9_8.5
fixed
vim-enhanced
RHEL 8.4 AUS
2:8.0.1763-15.el8_4.2
fixed
RHEL 8.6 AUS
2:8.0.1763-19.el8_6.6
fixed
RHEL 8.8 E4S
2:8.0.1763-20.el8_8.2
fixed
RHEL 8.8 TUS
2:8.0.1763-20.el8_8.2
fixed
vim-filesystem
RHEL 8.4 AUS
2:8.0.1763-15.el8_4.2
fixed
RHEL 8.6 AUS
2:8.0.1763-19.el8_6.6
fixed
RHEL 8.8 E4S
2:8.0.1763-20.el8_8.2
fixed
RHEL 8.8 TUS
2:8.0.1763-20.el8_8.2
fixed
vim-minimal
RHEL 8.4 AUS
2:8.0.1763-15.el8_4.2
fixed
RHEL 8.6 AUS
2:8.0.1763-19.el8_6.6
fixed
RHEL 8.8 E4S
2:8.0.1763-20.el8_8.2
fixed
RHEL 8.8 TUS
2:8.0.1763-20.el8_8.2
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
vim-common
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
vim-data
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
vim-debuginfo
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
vim-debugsource
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
vim-default-editor
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
vim-enhanced
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
vim-enhanced-debuginfo
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
vim-filesystem
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
vim-minimal
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
vim-minimal-debuginfo
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
xxd
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
xxd-debuginfo
Amazon Linux 2023
2:9.2.597-1.amzn2023.0.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
vim
Azure Linux 3.0
0:9.2.0315-1.azl3
fixed