CVE-2026-28417
HIGH WAF: High
CVSS 7.8
Published: 2026-02-27
CWE-78
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| vim | vim | up to 9.2.0073 |
References
- github.com (Patch)
- github.com (Release Notes)
- github.com (Patch, Vendor Advisory)
- www.openwall.com (Mailing List, Patch, Third Party Advisory)