CVE-2026-55895
Undergoing Analysis Undergoing Analysis - In Progress
Vimscript Code Injection in Vim via Netrw Plugin

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55895
EUVD
EUVD-2026-39450
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vim vim 9.2.0663
vim vim to 9.2.0663 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker to execute arbitrary Vimscript commands, including shell commands, with the privileges of the user running Vim.

An attacker must first place a specially crafted file with a malicious filename containing a pipe character in a directory browsed by the victim using the netrw plugin.

If the victim deletes this malicious file using the netrw browser, the attacker’s code can be executed, potentially leading to unauthorized command execution on the victim’s system.

The severity is rated Medium because exploitation requires user interaction and a deliberately planted file, but the impact can be significant due to full command execution capabilities.

Executive Summary

This vulnerability is a Vimscript code injection issue in the netrw plugin of Vim versions prior to 9.2.0663. It occurs in the function s:NetrwLocalRmFile() when deleting a local file from the netrw browser.

The problem arises because the filename derived from the directory listing is only partially escaped (only backslashes are escaped) before being passed to the :execute command. If a filename contains a pipe character (|), it can terminate the intended command and inject arbitrary Vimscript commands, including shell commands via :call system() or :!.

Exploitation requires a crafted malicious filename containing a pipe character to be present in the browsed directory and the victim to delete that file using the netrw plugin.

This vulnerability was fixed in Vim patch version 9.2.0663 by properly escaping filenames using the fnameescape() function before passing them to :execute, preventing command injection.

Detection Guidance

This vulnerability arises when a maliciously crafted filename containing a pipe character (|) is present in a directory browsed by Vim's netrw plugin and the user deletes that file using the netrw browser. Detection involves identifying such crafted filenames on your system.

  • Search for filenames containing the pipe character (|) in directories that users might browse with Vim's netrw plugin.
  • Use commands like `find /path/to/scan -name '*|*'` on Unix-like systems to locate files with pipe characters in their names.
  • Check the Vim version installed by running `vim --version` to verify if it is prior to 9.2.0663, which is vulnerable.

Since exploitation requires user interaction (deleting the crafted file via netrw), monitoring user actions in Vim or auditing file deletions in directories with suspicious filenames may also help detect attempts.

Mitigation Strategies

The primary mitigation is to upgrade Vim to version 9.2.0663 or later, where the vulnerability is fixed by properly escaping filenames before executing commands.

  • Update Vim to version 9.2.0663 or newer.
  • Avoid browsing or deleting files with suspicious or unusual filenames containing special characters like the pipe (|) in Vim's netrw plugin.
  • Educate users about the risk of deleting files with crafted names in Vim's netrw browser.

If immediate upgrade is not possible, restrict user permissions to prevent creation of files with special characters in directories accessed by Vim, and monitor for suspicious filenames.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55895. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart