CVE-2026-28417

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0073

Description Vim is a command line text editor. A flaw exists in the netrw standard plugin bundled with Vim. An attacker can potentially execute arbitrary shell commands with the privileges of the Vim process by tricking a user into opening a specially crafted URL, such as one using the scp:// protocol handler. The netrw plugin is vulnerable to OS command injection.

Recommendations Versions prior to 9.2.0073 should be updated to version 9.2.0073 or later.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-86CWE-78

Related Identifiers

ALSA-2026:6915

ALSA-2026:7711

ALSA-2026:8259

AZL-78497

BDU:2026-02589

CVE-2026-28417

ECHO-180E-0061-390D

GHSA-M3XH-9434-G336

MGASA-2026-0049

OESA-2026-1565

OPENSUSE-SU-2026:20403-1

RHSA-2026:6502

RHSA-2026:6539

RHSA-2026:6540

RHSA-2026:6617

RHSA-2026:6619

RHSA-2026:6620

RHSA-2026:6729

RHSA-2026:6730

RHSA-2026:6731

RHSA-2026:6736

RHSA-2026:6915

RHSA-2026:7711

RHSA-2026:8259

SUSE-SU-2026:0910-1

SUSE-SU-2026:1051-1

SUSE-SU-2026:1095-1

SUSE-SU-2026:20732-1

SUSE-SU-2026:20738-1

SUSE-SU-2026:20759-1

SUSE-SU-2026:20916-1

USN-8101-1

Affected Products

Linuxmint

Red Os

Rocky Linux

Ubuntu

Vim

Netrw

CVE-2026-28417

Weakness Enumeration

Related Identifiers

Affected Products

References · 103