CVE-2026-47167
Analyzed Analyzed - Analysis Complete

Code Injection in Vim via Cucumber Filetype Plugin

Vulnerability report for CVE-2026-47167, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-15
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vim vim to 9.2.0496 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a code injection issue in the cucumber filetype plugin of Vim versions prior to 9.2.0496 when Vim is built with +ruby support.

Specifically, the s:stepmatch() function processes step-definition patterns from .rb files in cucumber repositories by embedding them into a Ruby Kernel.eval argument without proper escaping.

An attacker can craft a malicious regex pattern in a step-definition file that, when matched during a step-jump operation (triggered by [d or ]d mappings), executes arbitrary Ruby code and shell commands with the privileges of the user running Vim.

The vulnerability requires the victim to open a cucumber-style repository containing the attacker-controlled file and invoke the step-jump mapping on a matching feature line.

This issue was fixed in Vim patch version 9.2.0496 by replacing Kernel.eval() with Regexp.new(), preventing code injection.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

If exploited, this vulnerability allows an attacker to execute arbitrary Ruby code and shell commands on your system with the same privileges as the user running Vim.

This can lead to unauthorized command execution, potentially compromising your system's security and integrity.

However, exploitation requires specific conditions: you must open a cucumber-style repository containing a malicious step-definition file and invoke the step-jump mapping on a matching feature line.

Detection Guidance

This vulnerability can be detected by checking if your Vim installation is a version prior to 9.2.0496 and if it is compiled with +ruby support. Additionally, detection involves verifying if the cucumber filetype plugin is in use and if any cucumber-style repositories with .rb step-definition files are opened.

There are no specific network detection commands since exploitation requires local interaction with Vim and a crafted repository. However, you can check your Vim version and ruby support with the following commands:

  • vim --version | grep "+ruby" # Checks if Vim is compiled with ruby support
  • vim --version | head -n 1 # Checks Vim version

If the version is earlier than 9.2.0496 and +ruby support is enabled, your system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade Vim to version 9.2.0496 or later, where the vulnerability has been patched.

If upgrading is not immediately possible, avoid opening cucumber-style repositories containing untrusted .rb step-definition files and refrain from using the step-jump mappings ([d or ]d) in such repositories.

Additionally, consider disabling the cucumber filetype plugin or compiling Vim without +ruby support if those features are not required.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47167. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart