PT-2026-35033 · Vim+2 · Vim+2
Andynx90
+1
·
Published
2026-04-24
·
Updated
2026-05-28
·
CVE-2026-41411
CVSS v3.1
6.6
Medium
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
Vim versions prior to 9.2.0357
Description
Command injection occurs during tag file processing. When resolving a tag, the filename field from the tags file undergoes wildcard expansion to resolve environment variables and wildcards. If this field contains backtick syntax, such as
command, the embedded command is executed via the system shell with the full privileges of the running user.Recommendations
Update to version 9.2.0357 or later.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Ubuntu
Vim