A high-severity vulnerability tracked as CVE-2026-59858 allows arbitrary code execution in Vim versions earlier than 9.2.0735 through the editor's C omni-completion feature. The flaw resides in runtime/autoload/ccomplete.vim, where unescaped tag data is inserted into a :vimgrep pattern and executed with :execute. An attacker can abuse a crafted tags entry so that, when a user opens a malicious .c file and triggers C omni-completion, injected Ex commands run with the privileges of the editing user.
Vim addressed the issue in patch 9.2.0735, which escapes the typename before constructing the :vimgrep command and blocks special characters such as / and | from breaking out of the pattern. The fix was committed in 6b611b0d15603c52ebdad17172b0232b4f65704e and includes regression tests to confirm that malicious typeref values no longer execute commands while normal struct-member completion continues to function.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
The CVE entry for the Vim arbitrary code execution issue was newly received by GitHub Security Advisories. The advisory describes the flaw as affecting Vim versions earlier than 9.2.0735 and notes that it was fixed in version 9.2.0735.
A Vim source-code commit fixed an Ex command injection flaw in runtime/autoload/ccomplete.vim by escaping the typename used to build a :vimgrep command. The patch also added regression tests and recorded the fix as patch 9.2.0735.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.