CVE-2026-35177
Path Traversal in Vim zip.vim Plugin Allows File Overwrite
Publication date: 2026-04-06
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vim | vim | to 9.2.0280 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35177 is a path traversal vulnerability in the zip.vim plugin of Vim versions prior to 9.2.0280. It allows an attacker to overwrite arbitrary files on the filesystem by opening specially crafted zip archives within Vim.
The vulnerability bypasses a previous fix by using a dummy directory prefix before the traversal sequence, causing Vim's path checks to fail while still escaping the intended directory after path normalization.
Exploitation requires the user to open a malicious zip archive in Vim, select and edit a malicious file inside it, and then save the file using the ":w" command, which causes Vim to overwrite files outside the intended directory.
Vim displays the full path of the file being written, which may alert cautious users. Standard zip utilities usually do not extract such paths and will warn or skip them, so this issue is specific to Vim's internal handling.
How can this vulnerability impact me? :
Successful exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the Vim process.
The impact is considered low because exploitation requires direct user interaction and deliberate editing of malicious files.
The vulnerability has a CVSS v3.1 base score of 4.1, indicating moderate severity, with low integrity and availability impacts and no confidentiality impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Vim installation is a version prior to 9.2.0280, as those versions contain the vulnerable zip.vim plugin.
Detection of active exploitation attempts involves monitoring for users opening specially crafted zip archives in Vim and then saving files with path traversal sequences.
Since exploitation requires user interaction within Vim, you can look for Vim processes editing files from zip archives with suspicious paths containing traversal patterns like "a/../../".
Suggested commands to check Vim version and look for suspicious activity include:
- Check Vim version: `vim --version` (ensure it is 9.2.0280 or later)
- Search for recent Vim processes: `ps aux | grep vim`
- Monitor file writes by Vim to sensitive locations, for example using auditd or inotify tools to watch for unexpected file overwrites.
- Review Vim swap or backup files for suspicious paths or contents.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Vim to version 9.2.0280 or later, where this vulnerability is fixed.
Until the upgrade is applied, avoid opening zip archives in Vim, especially those from untrusted sources.
Educate users about the risk of opening and editing files inside zip archives with Vim, as exploitation requires deliberate user interaction.
Consider restricting write permissions on sensitive files and directories to limit the impact of any potential exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to overwrite arbitrary files on the filesystem by opening specially crafted zip archives within Vim, potentially leading to modification of sensitive files or placing executable code in privileged locations.
Because exploitation requires direct user interaction and deliberate editing of malicious files, the risk is considered low to moderate.
However, if exploited, the integrity of sensitive data could be compromised, which may impact compliance with standards like GDPR or HIPAA that require protection of data integrity and prevention of unauthorized modification.
No direct confidentiality impact is noted, but the ability to overwrite files could indirectly affect compliance by enabling unauthorized changes to protected data or system files.