CVE-2026-59856
Analyzed Analyzed - Analysis Complete

PHP Omni-Completion Command Injection in Vim

Vulnerability report for CVE-2026-59856, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vim vim to 9.2.0736 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in Vim, an open source command line text editor, specifically in the PHP omni-completion script before version 9.2.0736. The script interpolates a class or trait name from the edited buffer into a search() pattern without properly escaping it. If the name contains a single quote, it can prematurely terminate the search() string argument. Because the bar character is treated as a command separator, the rest of the name is executed as Ex commands. Through the :! command, this can lead to arbitrary operating-system command execution when a user opens a crafted PHP file and triggers omni-completion.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary operating system commands on the victim's machine when they open a specially crafted PHP file and invoke omni-completion in Vim. This could lead to unauthorized actions such as data theft, system compromise, or further malware installation, depending on the privileges of the user running Vim.

Mitigation Strategies

To mitigate this vulnerability, update Vim to version 9.2.0736 or later, where the issue has been fixed.

Detection Guidance

This vulnerability can be detected by checking the version of Vim installed on your system. Versions prior to 9.2.0736 are vulnerable.

You can verify the Vim version by running the command:

  • vim --version

If the version is older than 9.2.0736, your Vim installation is vulnerable.

Additionally, you can check if the PHP omni-completion feature is enabled by verifying if filetype plugins are active (usually enabled by default) and if the filetype plugin for PHP is loaded.

To check if filetype plugins are enabled in Vim, open Vim and run:

  • :set filetype?

If the output shows 'filetype=php' when editing a PHP file and filetype plugins are enabled, the environment is susceptible if the Vim version is vulnerable.

There are no specific network commands to detect exploitation attempts since this is a local code execution vulnerability triggered by user interaction within Vim.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart