Vim modeline flaw enables arbitrary command execution via crafted files
A high-severity flaw in Vim allows arbitrary OS command execution when a user opens a specially crafted file in affected versions earlier than 9.2.0272. The bug chain abuses the tabpanel option, which was missing the P_MLE flag and therefore let modelines inject %{expr} expressions even when modelineexpr was not enabled; the injected code was then able to escape the sandbox because autocmd_add() lacked a check_secure() call. The issue affects builds compiled with +tabpanel, including common FEAT_HUGE builds, and executes with the privileges of the user running Vim. Vim fixed the issue in patch v9.2.0272 via commit 664701eb7576edb7c7c7d9f2d600815ec1f43459, and the vulnerability is tracked as CVE-2026-34714 and GHSA-2gmj-rpqf-pxvh.
Follow-on discussion on oss-sec focused on both CVE coordination and safer defaults for modelines. Maintainers said GitHub Support declined to assign a CVE because one had already been issued, while participants identified the record as CVE-2026-34714, reportedly assigned by MITRE. Security researchers and community members also argued that Vim's modeline feature remains risky for untrusted files because it is enabled by default in many environments, recommending mitigations such as setting nomodeline and moving toward a whitelist-based modeline design or disabling the feature by default; commenters noted that Debian, and likely Ubuntu, have already shipped with modelines disabled by default for years.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
oss-sec notes MITRE CNA assigned CVE-2026-34714
A later oss-sec follow-up noted that the CVE record for CVE-2026-34714 listed MITRE CNA itself as the assigner rather than GitHub. This clarified the earlier confusion around why GitHub Support said it could not assign a CVE for the issue.
Researchers debate disabling or restricting Vim modelines by default
oss-sec participants argued that modelines should be disabled by default or limited to a whitelist of safer fields and values to reduce risk from untrusted files. The discussion included clarification that users should set nomodeline as a mitigation and noted that some distributions such as Debian already disable modelines by default.
oss-sec thread identifies the issue as CVE-2026-34714
In follow-up oss-sec discussion, participants said GitHub Support reported it could not assign a CVE because one had already been assigned, and the vulnerability was identified as CVE-2026-34714. The discussion focused on CVE assignment workflow rather than new exploitation details.
GitHub advisory published for Vim issue
A GitHub Security Advisory was published for the Vim tabpanel modeline escape issue, describing arbitrary command execution from opening a crafted file in affected Vim versions. The advisory credited Hung Nguyen with discovering and analyzing the bug chain and stated that the issue was fixed in v9.2.0272.
Vim vulnerability publicly disclosed on oss-sec
An oss-sec disclosure described a high-severity Vim vulnerability chain affecting versions earlier than 9.2.0272, where opening a crafted file could lead to arbitrary OS command execution. The write-up explained the tabpanel modeline bypass and sandbox escape conditions and noted impact on builds with +tabpanel enabled.
Vim fixes tabpanel modeline escape in patch 9.2.0272
Vim released patch 9.2.0272 to fix a vulnerability chain in which the tabpanel option could be abused via modelines and a missing check_secure() call enabled sandbox escape to arbitrary command execution. The fix was published in the Vim repository and referenced in the security advisory for affected versions earlier than 9.2.0272.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
oss-sec: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272
seclists.org
Open sourceoss-sec: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272
seclists.org
Open sourceoss-sec: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272
seclists.org
Open sourceoss-sec: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272
seclists.org
Open sourceoss-sec: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272
seclists.org
Open sourceoss-sec: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272
seclists.org
Open sourcepatch 9.2.0272: [security]: 'tabpanel' can be set in a modeline · vim/vim@664701e · GitHub
github.com
Open sourceoss-sec: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Vim Modeline Bypass Enables Arbitrary Command Execution
Vim disclosed a high-severity vulnerability that lets attackers achieve arbitrary OS command execution when a user opens a crafted file in affected versions earlier than **9.2.0276**. The flaw is a modeline sandbox bypass caused by missing security-related `P_MLE` flags on the `complete`, `guitabtooltip`, and `printheader` options, allowing unsafe behavior from modelines that should have been restricted. The bug also involves a missing `check_secure()` call in `mapset()`, which creates additional exploitation paths through key mappings and option handling. Researchers showed that the `complete` option could abuse `F{func}` callback syntax without the protections applied to `completefunc`, while `guitabtooltip` and `printheader` could be leveraged through `mapset()`. Vim fixed the issue in patch **v9.2.0276**, and the advisory was later assigned **CVE-2026-34982**; the project credited **dfwjj x** and **Avishay Matayev** for the discovery and analysis.
Apr 2, 2026
Code Execution Vulnerabilities Reported in Vim
German CERT advisories identified **code execution vulnerabilities** in `vim`, the widely used text editor, in two separate notices. The advisories, `2026-0782` and `2026-0886`, both describe flaws that could allow an attacker to execute code, indicating ongoing security issues affecting the application. The notices provide limited public detail, but the repeated classification of the issue as code execution highlights potential risk for systems where `vim` is installed or used to process untrusted content. Organizations using `vim` should review the associated advisories, determine affected versions in their environments, and prioritize vendor patches or other mitigations as they become available.
May 4, 2026Vim Cucumber Plugin Code Injection Lets Malicious Repos Execute Ruby
Vim disclosed a medium-severity code injection flaw in its Cucumber filetype plugin that affects versions earlier than `9.2.0496` when compiled with `+ruby` support. The bug is in `s:stepmatch()` in `runtime/ftplugin/cucumber.vim`, where attacker-controlled step-definition regex patterns from repository `.rb` files were inserted into Ruby `Kernel.eval()` without sufficient escaping, allowing arbitrary Ruby execution and potentially shell command execution. The issue is tracked in GitHub Security Advisory `GHSA-4473-94jm-w5x9` and mapped to `CWE-94` and `CWE-95`. Exploitation requires a user to open a malicious cucumber-style repository and trigger the step-jump mappings `[`d`]` or `]d` on a matching feature line; the vulnerability does **not** fire through omni-completion alone because `CucumberComplete()` does not call the vulnerable path. Vim fixed the bug in patch `9.2.0496` by replacing `Kernel.eval()` with `Regexp.new()`, keeping the regex as untrusted data rather than executable code, and added a regression test using a proof-of-concept payload that attempted to invoke `system("touch ...")`. The project credited Aisle Research for reporting and analyzing the flaw.
May 25, 2026