CVE-2026-34714
Modified
Modified - Updated After Analysis
Expression Injection in Vim < 9.2.0272 Enables Code Execution
Vulnerability report for CVE-2026-34714, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-30
Last updated on: 2026-06-30
Assigner: MITRE
Description
Description
Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vim | vim | From 9.1.1390 (inc) to 9.2.0272 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-917 | The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |