CVE-2026-57456
Undergoing Analysis Undergoing Analysis - In Progress
Python Omni-Completion Code Injection in Vim

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-57456
EUVD
EUVD-2026-39436
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vim vim 9.2.0699
vim vim to 9.2.0699 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-57456 is a vulnerability in Vim's Python omni-completion feature prior to version 9.2.0699. Vim reconstructs Python function and class definitions from the current buffer and executes them using Python's exec() function to provide code completion. However, when inserting docstrings into the reconstructed code, Vim does so verbatim between triple quotes without escaping. This allows a maliciously crafted docstring containing triple quotes to break out of the string literal and execute arbitrary Python code during omni-completion.

This vulnerability requires the user to trigger Python omni-completion (for example, by pressing CTRL-X CTRL-O) in a hostile buffer containing the malicious docstring. Vim builds without Python support are not affected.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the user's system when they use Vim's Python omni-completion feature on a maliciously crafted buffer. An attacker can execute Python code with the privileges of the user running Vim, potentially leading to unauthorized actions such as data theft, system compromise, or further exploitation.

Detection Guidance

This vulnerability can be detected by checking if your Vim installation is a version prior to 9.2.0699 and if it has Python support enabled (+python3 or +python). The vulnerability is triggered when Python omni-completion is used in a hostile buffer, typically by pressing CTRL-X CTRL-O in insert mode.

To detect if your Vim is vulnerable, you can run the following command in Vim to check the version:

  • :version

To check if Python support is enabled, run in Vim:

  • :echo has('python3')
  • :echo has('python')

If the version is older than 9.2.0699 and Python support is enabled, your Vim is vulnerable. Additionally, monitoring for unexpected execution of Python code during omni-completion (triggered by CTRL-X CTRL-O) in suspicious buffers could indicate exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Vim to version 9.2.0699 or later, where the vulnerability has been fixed by properly escaping docstrings in Python omni-completion.

If upgrading is not immediately possible, avoid using Python omni-completion (triggered by CTRL-X CTRL-O) in Vim, especially on untrusted or hostile buffers.

Alternatively, use a Vim build without Python support (+python3 and +python), as those builds are not affected by this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart