CVE-2026-47162
HIGH 7.3Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
Severe if exploited (CVSS 7.3), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.2%chance of exploitation in 30 days · 12th percentile
Impact if exploited
7.3CVSS 4.0 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ⚠Privileges: Requires a low-privilege account
- ⚠User interaction: Requires active user interaction
- ✓Complexity: No special conditions — reliably repeatable
- ⚠Requirements: Specific conditions must be present
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Vim Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 Red Hat Openshift Container Platform 4
Weakness (CWE)
- CWE-74: Injection
- CWE-94: Code injection
- CWE-140
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References
Technical & other
- https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c
- https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b
- https://github.com/vim/vim/releases/tag/v9.2.0495
- https://access.redhat.com/security/cve/CVE-2026-47162
- https://bugzilla.redhat.com/show_bug.cgi?id=2487964
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47162.json