A high-severity vulnerability tracked as CVE-2026-59856 allows arbitrary code execution in Vim’s PHP omni-completion feature. In Vim versions prior to 9.2.0736, the runtime/autoload/phpcomplete.vim script inserted a class or trait name from an edited PHP buffer into a search() pattern that was then executed through win_execute() without proper escaping. A crafted PHP file containing a malicious name with a quote and Ex command separator could break out of the intended pattern and trigger arbitrary Ex commands, including operating-system command execution via :!, when a user opened the file and invoked omni-completion.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-59856 was published as a high-severity arbitrary code execution vulnerability affecting Vim versions prior to 9.2.0736 in the PHP omni-completion feature. The disclosure states that a crafted PHP file can trigger arbitrary OS command execution when a victim opens the file and invokes omni-completion.
A Vim source-code commit fixed a command-injection flaw in runtime/autoload/phpcomplete.vim by wrapping the search pattern with string() before passing it to win_execute(). The patch also added a regression test and updated Vim's included_patches list to patch 9.2.0736.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.