CVE-2026-34714NVD

Vulnerability Summary

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

Severity Level

CRITICAL(9.2)

Published Date

Mar 30, 2026

Last Modified

Apr 3, 2026

Exploitation Status

No confirmed exploitation yet

EPSS Score (30-Day)

0.01%Probability

Root Weakness (CWE)

CWE-78: OS Command Injection ↗

The software constructs all or part of an OS command using externally-influenced input, but does not properly neutralize special elements.

CVSS v3.1 Base Metrics

Attack VectorLocal

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityLow

External References

https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459
https://github.com/vim/vim/releases/tag/v9.2.0272
https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
https://www.openwall.com/lists/oss-security/2026/03/30/3
http://www.openwall.com/lists/oss-security/2026/04/02/4
http://www.openwall.com/lists/oss-security/2026/04/02/5
http://www.openwall.com/lists/oss-security/2026/04/03/6