CVE-2026-59858
Analyzed Analyzed - Analysis Complete

Vim C Omni-Completion Command Injection

Vulnerability report for CVE-2026-59858, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vim vim to 9.2.0735 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Vim, an open source command line text editor, specifically in versions prior to 9.2.0735. The issue is in the C omni-completion script, which interpolates certain fields from a tags entry into a :vimgrep pattern without escaping them properly. Because :vimgrep treats the bar character as a command separator, a maliciously crafted tag field can close the search pattern and append an arbitrary Ex command. When a hostile .c file containing such a tag entry is opened and C omni-completion is invoked, the appended command runs with the privileges of the editing user.

Impact Analysis

The vulnerability allows an attacker to execute arbitrary commands on the system with the privileges of the user running Vim. This can lead to unauthorized actions such as modifying files, executing malicious code, or compromising the system's security.

Mitigation Strategies

To mitigate this vulnerability, update Vim to version 9.2.0735 or later, where the issue has been fixed.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking if your Vim installation is a version prior to 9.2.0735, as the issue is fixed starting from that version.

To detect potential exploitation attempts, monitor for usage of the C omni-completion feature (typically invoked with CTRL-X CTRL-O) in Vim when editing C source files, especially if filetype plugins are enabled and a tags file is present.

You can verify your Vim version by running the following command in your terminal:

  • vim --version

To check if the vulnerable script is present, you can look for the ccomplete.vim file in the runtime autoload directory:

  • ls $(vim --cmd 'echo $VIMRUNTIME' --cmd 'quit')/autoload/ccomplete.vim

Since the vulnerability involves crafted tags files, you can inspect your tags files for suspicious entries containing typeref: or typename: fields with unusual characters such as the pipe (|) symbol that could be used to inject commands.

There are no specific built-in commands to detect exploitation attempts automatically, but monitoring Vim usage logs or audit logs for unexpected command executions triggered during omni-completion could help.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart