CVE-2026-39881
Command Injection in Vim Netbeans Interface Allows Remote Code Execution
Publication date: 2026-04-08
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vim | vim | to 9.2.0316 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Vim, an open source command line text editor, prior to version 9.2.0316. It is a command injection vulnerability in Vim's netbeans interface. When Vim connects to a malicious netbeans server, the server can execute arbitrary Ex commands by sending unsanitized strings in the defineAnnoType and specialKeys protocol messages.
How can this vulnerability impact me? :
The vulnerability allows a malicious netbeans server to execute arbitrary Ex commands on the victim's system when Vim connects to it. This can lead to unauthorized modification of data or system behavior, potentially compromising the integrity of the user's environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Vim to version 9.2.0316 or later, where the issue has been fixed.