Vim Modeline Bypass Enables Arbitrary Command Execution
Vim disclosed a high-severity vulnerability that lets attackers achieve arbitrary OS command execution when a user opens a crafted file in affected versions earlier than 9.2.0276. The flaw is a modeline sandbox bypass caused by missing security-related P_MLE flags on the complete, guitabtooltip, and printheader options, allowing unsafe behavior from modelines that should have been restricted.
The bug also involves a missing check_secure() call in mapset(), which creates additional exploitation paths through key mappings and option handling. Researchers showed that the complete option could abuse F{func} callback syntax without the protections applied to completefunc, while guitabtooltip and printheader could be leveraged through mapset(). Vim fixed the issue in patch v9.2.0276, and the advisory was later assigned CVE-2026-34982; the project credited dfwjj x and Avishay Matayev for the discovery and analysis.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
GitHub advisory assigns CVE-2026-34982 to the Vim flaw
A later GitHub Security Advisory update assigned CVE-2026-34982 to the Vim modeline bypass vulnerability. The project also credited researchers "dfwjj x" and Avishay Matayev for discovering and analyzing the issue.
Vim vulnerability publicly disclosed on oss-sec
On March 31, 2026, Vim publicly disclosed technical details of a modeline sandbox bypass involving the `complete`, `guitabtooltip`, and `printheader` options and a missing `check_secure()` call in `mapset()`. The disclosure said the issue had no CVE at first and linked the fix and advisory information.
Vim fixes modeline sandbox bypass in patch v9.2.0276
The Vim project fixed a high-severity modeline sandbox bypass in patch v9.2.0276. The flaw affected Vim versions earlier than 9.2.0276 and could allow arbitrary OS command execution when a user opened a crafted file.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2026-34982 - Vim modeline bypass via various options affects Vim < 9.2.0276
cvefeed.io
Open sourceVim Modeline Bypass Vulnerability Let Attackers Execute Arbitrary OS Commands
cybersecuritynews.com
Open sourceoss-sec: Re: [vim-security] Vim modeline bypass via various options affects Vim < 9.2.0276
seclists.org
Open sourceoss-sec: [vim-security] Vim modeline bypass via various options affects Vim < 9.2.0276
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Vim modeline flaw enables arbitrary command execution via crafted files
A high-severity flaw in **Vim** allows arbitrary OS command execution when a user opens a specially crafted file in affected versions earlier than **9.2.0272**. The bug chain abuses the `tabpanel` option, which was missing the `P_MLE` flag and therefore let modelines inject `%{expr}` expressions even when `modelineexpr` was not enabled; the injected code was then able to escape the sandbox because `autocmd_add()` lacked a `check_secure()` call. The issue affects builds compiled with `+tabpanel`, including common `FEAT_HUGE` builds, and executes with the privileges of the user running Vim. Vim fixed the issue in patch **v9.2.0272** via commit `664701eb7576edb7c7c7d9f2d600815ec1f43459`, and the vulnerability is tracked as **CVE-2026-34714** and **GHSA-2gmj-rpqf-pxvh**. Follow-on discussion on `oss-sec` focused on both CVE coordination and safer defaults for modelines. Maintainers said GitHub Support declined to assign a CVE because one had already been issued, while participants identified the record as **CVE-2026-34714**, reportedly assigned by MITRE. Security researchers and community members also argued that Vim's `modeline` feature remains risky for untrusted files because it is enabled by default in many environments, recommending mitigations such as setting `nomodeline` and moving toward a whitelist-based modeline design or disabling the feature by default; commenters noted that Debian, and likely Ubuntu, have already shipped with modelines disabled by default for years.
Jun 8, 2026
Code Execution Vulnerabilities Reported in Vim
German CERT advisories identified **code execution vulnerabilities** in `vim`, the widely used text editor, in two separate notices. The advisories, `2026-0782` and `2026-0886`, both describe flaws that could allow an attacker to execute code, indicating ongoing security issues affecting the application. The notices provide limited public detail, but the repeated classification of the issue as code execution highlights potential risk for systems where `vim` is installed or used to process untrusted content. Organizations using `vim` should review the associated advisories, determine affected versions in their environments, and prioritize vendor patches or other mitigations as they become available.
May 4, 2026Vim Cucumber Plugin Code Injection Lets Malicious Repos Execute Ruby
Vim disclosed a medium-severity code injection flaw in its Cucumber filetype plugin that affects versions earlier than `9.2.0496` when compiled with `+ruby` support. The bug is in `s:stepmatch()` in `runtime/ftplugin/cucumber.vim`, where attacker-controlled step-definition regex patterns from repository `.rb` files were inserted into Ruby `Kernel.eval()` without sufficient escaping, allowing arbitrary Ruby execution and potentially shell command execution. The issue is tracked in GitHub Security Advisory `GHSA-4473-94jm-w5x9` and mapped to `CWE-94` and `CWE-95`. Exploitation requires a user to open a malicious cucumber-style repository and trigger the step-jump mappings `[`d`]` or `]d` on a matching feature line; the vulnerability does **not** fire through omni-completion alone because `CucumberComplete()` does not call the vulnerable path. Vim fixed the bug in patch `9.2.0496` by replacing `Kernel.eval()` with `Regexp.new()`, keeping the regex as untrusted data rather than executable code, and added a regression test using a proof-of-concept payload that attempted to invoke `system("touch ...")`. The project credited Aisle Research for reporting and analyzing the flaw.
May 25, 2026