Vim · Vim · CVE-2026-34714
Name of the Vulnerable Software and Affected Versions: Vim versions prior to 9.2.0272.
Description: Vim versions prior to 9.2.0272 contain a flaw that allows for code execution upon opening a crafted file in the default configuration. This is due to a `%{expr}` injection occurring within the tabpanel when it lacks P MLE. Reports indicate that attackers are actively exploiting this vulnerability (CVE-2026-34714) to achieve Remote Code Execution (RCE) through malicious `%{expr}` injections in crafted files. The vulnerability was discovered by Claude AI. There have been real-world incidents of exploitation, with attackers achieving RCE by simply opening a malicious file. The vulnerability affects the tabpanel component and involves the injection of code through the `%{expr}` mechanism. The API endpoint is not explicitly mentioned, but the vulnerability is triggered by opening a file with a crafted payload.
Recommendations: Update Vim to version 9.2.0272 or newer immediately. Avoid opening files from untrusted sources.