CVE-2026-52858
Analyzed Analyzed - Analysis Complete

Python Code Execution in Vim via Omni-Completion

Vulnerability report for CVE-2026-52858, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-15
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vim vim to 9.2.0561 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-52858 is a vulnerability in Vim versions prior to 9.2.0561 that affects the Python omni-completion feature. When Vim is built with the +python3 interpreter (or +python for legacy builds) and filetype plugins are enabled, the Python omni-completion script executes import and from statements found in the current buffer using Python's import system.

Because the buffer's working directory is included in Python's sys.path, opening a malicious Python (.py) file from an attacker-controlled directory that contains a sibling Python package allows that package's top-level code to be executed with the user's privileges when omni-completion is invoked.

Exploitation requires the user to manually trigger omni-completion (e.g., by pressing CTRL-X CTRL-O), which then runs the attacker's code locally. This vulnerability is due to improper handling of dynamically evaluated code and inclusion of untrusted functionality.

The issue was fixed in Vim version 9.2.0561 by disabling the execution of import and from statements during omni-completion by default, though users can re-enable it for trusted code via a configuration setting.

Impact Analysis

This vulnerability can lead to arbitrary local code execution on the user's machine with the privileges of the user running Vim.

If an attacker can trick a user into opening a malicious Python file from a directory containing a crafted sibling package, and the user invokes omni-completion, the attacker's code will run, potentially compromising the user's system.

The impact includes unauthorized execution of malicious code, which could lead to data theft, system compromise, or further attacks depending on the user's permissions.

However, the vulnerability requires user interaction to trigger omni-completion, which reduces the risk compared to automatic code execution on file open.

Detection Guidance

This vulnerability occurs when Vim with the +python3 or +python interpreter enabled opens a hostile .py file containing import or from statements and the user manually triggers Python omni-completion (e.g., by pressing CTRL-X CTRL-O). Detection involves identifying if vulnerable Vim versions prior to 9.2.0561 are in use and if the python omni-completion feature is enabled.

To detect vulnerable Vim versions, you can run the command:

  • vim --version | grep '9.2.0561'

If the version is older than 9.2.0561, the system is potentially vulnerable.

To check if Vim is compiled with Python 3 support, run:

  • vim --version | grep +python3

To detect if the vulnerable python omni-completion script is enabled, check if filetype plugins are enabled in Vim by running inside Vim:

  • :set filetype?

If filetype plugins are enabled and the vulnerable version is used, the system is at risk when opening untrusted Python files and invoking omni-completion.

Mitigation Strategies

The primary mitigation is to update Vim to version 9.2.0561 or later, where the vulnerability has been patched by disabling execution of import and from statements during Python omni-completion by default.

If updating is not immediately possible, avoid opening untrusted Python files with Vim configured with +python3 or +python interpreters and do not invoke omni-completion (CTRL-X CTRL-O) on such files.

Additionally, ensure that the global Vim variable g:pythoncomplete_allow_import is not set to 1, as enabling it re-enables the vulnerable behavior.

In summary, immediate steps are:

  • Update Vim to version 9.2.0561 or later.
  • Avoid invoking Python omni-completion on untrusted Python files.
  • Ensure g:pythoncomplete_allow_import is unset or set to 0.
Compliance Impact

The vulnerability in Vim allows arbitrary local code execution when a user opens a malicious Python file and triggers omni-completion, potentially leading to unauthorized code running with the user's privileges.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, arbitrary code execution vulnerabilities can pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

If exploited in environments handling sensitive personal or health data, this vulnerability could lead to unauthorized access or modification of such data, thereby potentially violating compliance requirements.

Mitigation by updating to Vim version 9.2.0561 reduces this risk by disabling the execution of import/from statements during omni-completion by default.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart