CVE-2026-52860
Received Received - Intake
Python Code Execution in Vim via Omni-Completion

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-52860
EUVD
EUVD-2026-36285
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vim vim to 9.2.0597 (exc)
vim vim to 9.2.0596 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows an attacker to execute arbitrary Python code with the privileges of the user running Vim. If a user opens or triggers Python omni-completion in a maliciously crafted buffer, the attacker's code can run on the user's system.

Potential impacts include unauthorized actions such as file creation, modification, or deletion, data theft, or further compromise of the user's environment depending on the permissions of the Vim process.

Detection Guidance

This vulnerability can be detected by identifying if you are using a vulnerable version of Vim prior to 9.2.0597 that includes the Python omni-completion feature (+python3 and +python enabled). Specifically, triggering Python omni-completion (e.g., with CTRL-X CTRL-O) in a buffer containing hostile Python code can expose the vulnerability.

To check the Vim version installed on your system, you can run the command:

  • vim --version

To verify if Vim was built with Python support, look for +python3 and +python in the output of the above command.

To detect exploitation attempts, monitor for unusual execution of Python code triggered by omni-completion in Vim buffers, especially when users invoke CTRL-X CTRL-O in suspicious files.

Mitigation Strategies

The immediate mitigation step is to upgrade Vim to version 9.2.0597 or later, where the vulnerability has been patched.

Until you can upgrade, avoid triggering Python omni-completion (CTRL-X CTRL-O) in untrusted or hostile buffers, as this is the attack vector.

Note that the existing mitigation g:pythoncomplete_allow_import does not protect against this vulnerability, so relying on it is insufficient.

If upgrading immediately is not possible, consider disabling Python support in Vim or restricting usage to trusted files only.

Executive Summary

CVE-2026-52860 is a vulnerability in Vim's Python omni-completion feature present in versions prior to 9.2.0597. Vim reconstructs Python function and class definitions from the current buffer and executes them using Python's exec() function to populate the completion dictionary. Because Python evaluates function default values, parameter annotations, and class base expressions at definition time, an attacker can craft a malicious buffer containing Python expressions that execute arbitrary code when omni-completion is triggered.

The existing mitigation g:pythoncomplete_allow_import does not prevent this attack because the malicious code is not an import statement. This vulnerability affects Vim builds with +python3 and +python enabled, allowing code execution with the user's privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart