CVE-2026-47162
Modified Modified - Updated After Analysis

Vimscript Code Injection in Vim via Netrw History File

Vulnerability report for CVE-2026-47162, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-30
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vim vim to 9.2.0495 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-140 The product does not neutralize or incorrectly neutralizes delimiters.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Vimscript code injection issue in the netrw plugin of Vim versions prior to 9.2.0495. It occurs in the function NetrwBookHistSave(), which saves browsed directory paths to a history file. If a directory name contains a single quote, it can break out of the single-quoted Vimscript string literal without proper escaping, allowing an attacker to inject arbitrary Vimscript code.

The injected code can include shell commands executed via functions like system() or :!, which run with the privileges of the user running Vim. To exploit this, an attacker must create a crafted directory name with a single quote and have the victim browse that directory using netrw. The malicious code executes the next time Vim is launched and the history file is sourced.

This issue was fixed in Vim version 9.2.0495 by properly quoting directory names before saving them to the history file, preventing code injection.

Impact Analysis

This vulnerability can lead to arbitrary code execution with the privileges of the user running Vim. An attacker who can create a specially crafted directory name containing a single quote and trick the victim into browsing it can execute arbitrary Vimscript and shell commands on the victim's system.

The impact includes potential full command execution, which could lead to unauthorized actions such as data modification, data theft, or system compromise depending on the user's permissions.

Exploitation requires user interaction (browsing the malicious directory) and a crafted directory name, so the severity is rated medium, but the consequences of successful exploitation are severe.

Detection Guidance

This vulnerability can be detected by checking the contents of the Vim netrw history file located at ~/.vim/.netrwhist for suspicious entries. Specifically, look for directory names containing single quotes or other special characters that could break out of the Vimscript string context and inject code.

You can inspect the history file with commands like:

  • cat ~/.vim/.netrwhist
  • grep "'" ~/.vim/.netrwhist
  • grep -E "[\'\|\;\&]" ~/.vim/.netrwhist

Additionally, verify the installed Vim version to confirm if it is prior to 9.2.0495, which is vulnerable:

  • vim --version | head -n 1
Mitigation Strategies

The immediate mitigation step is to upgrade Vim to version 9.2.0495 or later, where the vulnerability has been patched.

Until the upgrade can be performed, you can manually remove or sanitize the ~/.vim/.netrwhist history file to eliminate any malicious entries that could be executed when Vim starts.

Avoid browsing directories with crafted names containing single quotes or other special characters using the netrw plugin.

Consider disabling the netrw plugin or its history feature temporarily if upgrading is not immediately possible.

Compliance Impact

This vulnerability allows arbitrary code execution with the privileges of the user running Vim by injecting malicious Vimscript through crafted directory names. Such unauthorized code execution could lead to unauthorized access, data manipulation, or data leakage.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to execute arbitrary commands could potentially lead to violations of these regulations if sensitive data is accessed or compromised as a result.

Therefore, organizations using vulnerable versions of Vim with the netrw plugin could face compliance risks related to data protection and security requirements mandated by regulations such as GDPR and HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47162. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart