CVE-2026-11487
Deferred Deferred - Pending Action
Command Injection in Neovim Text Editor

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A flaw has been found in Neovim up to 0.12.2. Affected by this issue is the function M.read of the file runtime/lua/vim/secure.lua of the component View Branch. Executing a manipulation of the argument path can lead to command injection. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11487
EUVD
EUVD-2026-35018
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
neovim neovim to 0.12.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw in Neovim's `vim.secure.read()` function, specifically in the 'View branch' functionality. It occurs when a malicious filename containing special characters, such as a pipe character (`|`), is processed without proper escaping. The unescaped filename is concatenated into an Ex command (`sview`), allowing an attacker to inject and execute arbitrary Vimscript or Lua commands within the Neovim session.

For example, a crafted filename like `victim|let g:secure_poc=123` can cause Neovim to execute the injected command `let g:secure_poc=123` when the file is viewed, breaking the security boundary for viewing untrusted files.

The vulnerability affects Neovim up to version 0.12.2 and was fixed by properly escaping filenames using the `fnameescape()` function to prevent command injection.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary Vimscript or Lua commands within the Neovim session by exploiting the way filenames are handled in the `vim.secure.read()` function.

If a user opens or views a maliciously crafted file, the attacker can inject commands that may alter the editor's state, execute code, or potentially escalate to further compromise depending on the environment in which Neovim is running.

Since the attack can be launched locally, it poses a risk especially if untrusted files are opened without caution, potentially leading to unauthorized actions within the editor.

Detection Guidance

This vulnerability can be detected by checking if Neovim versions up to 0.12.2 are in use, as they are affected by a command injection flaw in the vim.secure.read() function.

One practical way to detect exploitation attempts is to look for suspicious filenames containing special characters such as the pipe character (|) or colon (:) that could be used to inject commands.

For example, monitoring Neovim usage logs or file access patterns for filenames like 'victim|let g:secure_poc=123' or 'Xfile|let g:secure_poc=42' could indicate attempts to exploit this vulnerability.

Since the vulnerability is local and triggered by viewing files with malicious names, commands to detect it could include searching for such filenames in directories where Neovim is used:

  • find /path/to/scan -name '*|*' -o -name '*:*'
  • grep -r --include='*' '\|' /path/to/neovim/configs_or_files

Additionally, checking the Neovim version installed can help identify if the system is vulnerable:

  • nvim --version
Mitigation Strategies

The immediate mitigation step is to update Neovim to version 0.12.3 or later, where the vulnerability has been fixed by properly escaping filenames using the fnameescape() function.

If updating is not immediately possible, avoid opening or viewing files with suspicious filenames containing special characters such as pipe (|) or colon (:), especially from untrusted sources.

Applying the patch identified by commit f83e0dcaf8cf18de94828341b0a1a61a86c75baf will remediate the issue.

Review and restrict local user permissions to prevent untrusted users from placing maliciously named files in directories accessed by Neovim.

Compliance Impact

The provided context and resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart