Code Execution Vulnerabilities Reported in Vim
German CERT advisories identified code execution vulnerabilities in vim, the widely used text editor, in two separate notices. The advisories, 2026-0782 and 2026-0886, both describe flaws that could allow an attacker to execute code, indicating ongoing security issues affecting the application.
The notices provide limited public detail, but the repeated classification of the issue as code execution highlights potential risk for systems where vim is installed or used to process untrusted content. Organizations using vim should review the associated advisories, determine affected versions in their environments, and prioritize vendor patches or other mitigations as they become available.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
dCERT publishes advisory 2026-1313 for Vim code execution flaw
dCERT published advisory 2026-1313 concerning a Vim vulnerability that allows code execution. The reference provides no synopsis or additional remediation details.
dCERT publishes advisory 2026-1219 for Vim code execution flaw
dCERT published advisory 2026-1219 concerning a Vim vulnerability that allows code execution. The reference provides no synopsis or additional remediation details.
dCERT publishes advisory 2026-1122 for Vim code execution flaw
dCERT published advisory 2026-1122 concerning a Vim vulnerability that allows code execution. The reference provides no additional technical details or remediation information.
dCERT publishes advisory 2026-0986 for Vim code execution flaw
dCERT published advisory 2026-0986 concerning a Vim vulnerability that allows code execution. The reference provides no additional technical details or remediation information.
dCERT publishes advisory 2026-0919 for Vim code execution flaw
dCERT published advisory 2026-0919 concerning a Vim vulnerability that allows code execution. The reference provides no additional synopsis or remediation details.
dCERT publishes advisory 2026-0886 for Vim code execution flaw
dCERT published advisory 2026-0886 concerning a Vim vulnerability that allows code execution. The reference does not clarify whether this is a new issue or an update to a previously reported flaw.
dCERT publishes advisory 2026-0782 for Vim code execution flaw
dCERT published advisory 2026-0782 warning of a Vim vulnerability that allows code execution. No additional technical details or remediation information are provided in the reference.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
dCERT - Advisory 2026-1313 - vim: Vulnerability allows code execution
dcert.de
Open sourcedCERT - Advisory 2026-1219 - vim: Vulnerability allows code execution
dcert.de
Open sourcedCERT - Advisory 2026-1122 - vim: Vulnerability allows code execution
dcert.de
Open sourcedCERT - Advisory 2026-0986 - vim: Vulnerability allows code execution
dcert.de
Open sourcedCERT - Advisory 2026-0919 - vim: Vulnerability allows code execution
dcert.de
Open sourcedCERT - Advisory 2026-0886 - vim: Vulnerability allows code execution
dcert.de
Open sourcedCERT - Advisory 2026-0782 - vim: Vulnerability allows code execution
dcert.de
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Vim Flaws Enable Code Execution and Denial of Service
German CERT advisories reported several vulnerabilities in **Vim**, including flaws that can lead to **arbitrary code execution** and **denial of service**. One advisory identified multiple vulnerabilities in Vim broadly, while another separately warned that a Vim vulnerability could be used to crash the application and disrupt availability. A later product advisory narrowed part of the issue to Vim's **Spell File Parser**, where multiple vulnerabilities were said to allow denial-of-service conditions. Together, the notices indicate that both general Vim functionality and the spell-file parsing component were affected, raising risks ranging from editor crashes to potentially more severe compromise through code execution.
May 26, 2026
Code Execution Flaws Expose Vim netrw and SiYuan Users to Endpoint Compromise
Two newly disclosed vulnerabilities affect widely used desktop productivity tools and could let attackers execute code in the context of the logged-in user. **CVE-2026-28417** impacts Vim's `netrw` plugin and allows OS command injection with user interaction, potentially exposing the victim's files, environment variables, and active authentication tokens. The issue is rated **CVSS 4.4 (Medium)** and appears limited to local exploitation, but it could still support persistence, sensitive file theft, or follow-on lateral movement from a developer workstation. A more severe flaw, **CVE-2026-39846**, affects the SiYuan Electron client and enables remote code execution through a stored XSS condition delivered via synchronized note content. The vulnerability carries a **CVSS 9.1** rating and can be triggered when a user opens a malicious synchronized note, allowing silent background execution with the victim user's privileges. Reporting indicates a proof of concept exists, making targeted compromise plausible even though neither issue was reported as actively exploited at disclosure and the Vim flaw was not listed in CISA's Known Exploited Vulnerabilities catalog.
Apr 8, 2026
Vim modeline flaw enables arbitrary command execution via crafted files
A high-severity flaw in **Vim** allows arbitrary OS command execution when a user opens a specially crafted file in affected versions earlier than **9.2.0272**. The bug chain abuses the `tabpanel` option, which was missing the `P_MLE` flag and therefore let modelines inject `%{expr}` expressions even when `modelineexpr` was not enabled; the injected code was then able to escape the sandbox because `autocmd_add()` lacked a `check_secure()` call. The issue affects builds compiled with `+tabpanel`, including common `FEAT_HUGE` builds, and executes with the privileges of the user running Vim. Vim fixed the issue in patch **v9.2.0272** via commit `664701eb7576edb7c7c7d9f2d600815ec1f43459`, and the vulnerability is tracked as **CVE-2026-34714** and **GHSA-2gmj-rpqf-pxvh**. Follow-on discussion on `oss-sec` focused on both CVE coordination and safer defaults for modelines. Maintainers said GitHub Support declined to assign a CVE because one had already been issued, while participants identified the record as **CVE-2026-34714**, reportedly assigned by MITRE. Security researchers and community members also argued that Vim's `modeline` feature remains risky for untrusted files because it is enabled by default in many environments, recommending mitigations such as setting `nomodeline` and moving toward a whitelist-based modeline design or disabling the feature by default; commenters noted that Debian, and likely Ubuntu, have already shipped with modelines disabled by default for years.
Jun 8, 2026