CVE-2026-34714

Name of the Vulnerable Software and Affected Versions: Vim versions prior to 9.2.0272.

Description: Vim versions prior to 9.2.0272 contain a flaw that allows for code execution upon opening a crafted file in the default configuration. This is due to a %{expr} injection occurring within the tabpanel when it lacks P MLE. Reports indicate that attackers are actively exploiting this vulnerability (CVE-2026-34714) to achieve Remote Code Execution (RCE) through malicious %{expr} injections in crafted files. The vulnerability was discovered by Claude AI. There have been real-world incidents of exploitation, with attackers achieving RCE by simply opening a malicious file. The vulnerability affects the tabpanel component and involves the injection of code through the %{expr} mechanism. The API endpoint is not explicitly mentioned, but the vulnerability is triggered by opening a file with a crafted payload.

Recommendations: Update Vim to version 9.2.0272 or newer immediately. Avoid opening files from untrusted sources.