Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Arbitrary Code Execution in Vim Python Omni-Completion

IdentifiersCVE-2026-52860CWE-94· Improper Control of Generation of…

CVE-2026-52860 is an arbitrary code execution vulnerability in Vim affecting versions prior to 9.2.0597. The flaw is in Vim's Python omni-completion implementation, including runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim path, where source code reconstructed from the current Python buffer is executed with exec() to populate the completion dictionary. The reconstructed source includes function and class definitions derived from buffer contents; parameter lists, default expressions, annotations, and class base lists are preserved from attacker-controlled text harvested by internal parsing logic such as _parenparse(). Because Python evaluates function default values, parameter annotations, and class base expressions at definition time, a malicious Python buffer can cause attacker-controlled expressions to execute when omni-completion is triggered. The previously documented g:pythoncomplete_allow_import mitigation does not prevent this path because the executed content is not limited to harvested import/from statements.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in arbitrary Python code execution within the user's Vim process, with the privileges of the user running Vim. This can allow execution of local commands, access to files and credentials available to that user, modification of editor state or local data, and potentially follow-on compromise depending on the user's environment and privileges.

Mitigation

If you can’t patch tonight, do this now.

As a temporary mitigation, avoid triggering Python omni-completion on untrusted Python files or buffers, including manual invocation such as CTRL-X CTRL-O and any plugins or workflows that automatically call the Python completion function. Avoid opening or editing attacker-supplied Python content in vulnerable Vim builds where possible. Systems built without +python3 and +python support are not affected. The prior g:pythoncomplete_allow_import mitigation is insufficient for this vulnerability.

Remediation

Patch, then assume compromise.

Upgrade Vim to version 9.2.0597 or later, which patches the vulnerable omni-completion behavior. Ensure affected distributions or downstream packages incorporate the upstream fix. If using vendor-packaged Vim builds, apply the corresponding security update from the platform maintainer once available.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
VimVimapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

1 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-52860
NVD
nvd.nist.gov/vuln/detail/CVE-2026-52860
MITRE CWE · CWE-94
Improper Control of Generation of Code ('Code…
Patch
github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2
Vendor Advisory
github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c
Vendor Advisory
github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468
Product
github.com/vim/vim/releases/tag/v9.2.0597