CVE-2026-44656
Received Received - Intake
OS Command Injection in Vim via :find Completion

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44656
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vim vim to 9.2.0435 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Vim text editor prior to version 9.2.0435. It is an OS command injection issue related to Vim's :find command-line completion feature.

When the 'path' option in Vim contains backtick-enclosed shell commands, those commands get executed during file name completion. Because the 'path' option lacks the P_SECURE flag, it can be set from a modeline within a file.

An attacker who controls the contents of a file can insert such a modeline, causing arbitrary shell commands to be executed when a user opens that file in Vim and triggers :find completion.

This vulnerability has been fixed in Vim version 9.2.0435.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary shell commands on your system when you open a maliciously crafted file in Vim and use the :find command-line completion.

Such command execution can lead to unauthorized actions, including data theft, system compromise, or further malware installation, depending on the commands executed.

Because the attack requires user interaction (opening the file and triggering :find completion), the risk depends on the likelihood of opening attacker-controlled files.

Mitigation Strategies

To mitigate this vulnerability, update Vim to version 9.2.0435 or later, where the issue has been patched.

Avoid opening untrusted files in Vim that could contain malicious modelines setting the path option with backtick-enclosed shell commands.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44656. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart