CVE-2026-52860
HIGH 7.5Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
Severe if exploited (CVSS 7.5), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.2%chance of exploitation in 30 days · 13th percentile
Impact if exploited
7.5CVSS 4.0 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ⚠User interaction: Requires active user interaction
- ✓Complexity: No special conditions — reliably repeatable
- ⚠Requirements: Specific conditions must be present
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Vim Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 Red Hat Openshift Container Platform 4
Weakness (CWE)
- CWE-94: Code injection
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References
Technical & other
- https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468
- https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c
- https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2
- https://github.com/vim/vim/releases/tag/v9.2.0597
- https://access.redhat.com/security/cve/CVE-2026-52860
- https://bugzilla.redhat.com/show_bug.cgi?id=2487987
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52860.json