CVE-2026-41411
EUVD-2026-2557524.04.2026, 17:16
Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| vim | vim | 𝑥 < 9.2.0357 |
𝑥
= Vulnerable software versions
Amazon Linux Releases
Amazon Package | |||||
|---|---|---|---|---|---|
| vim-X11 |
| ||||
| vim-common |
| ||||
| vim-data |
| ||||
| vim-debuginfo |
| ||||
| vim-debugsource |
| ||||
| vim-default-editor |
| ||||
| vim-enhanced |
| ||||
| vim-enhanced-debuginfo |
| ||||
| vim-filesystem |
| ||||
| vim-minimal |
| ||||
| vim-minimal-debuginfo |
| ||||
| xxd |
| ||||
| xxd-debuginfo |
|
