CVE-2025-66476

Name of the Vulnerable Software and Affected Versions Vim for Windows versions prior to 9.1.1947

Description Vim is a command line text editor. A flaw exists in Vim for Windows due to an uncontrolled search path issue. When using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. This allows the execution of malicious executables placed in the same directory as the file being edited when Vim invokes tools such as findstr for :grep, external commands via :!, or compiler/:make commands. The issue enables attackers to execute arbitrary code with the user's privileges.

Recommendations Update Vim to version 9.1.1947 or later to address this issue.